Secure Management of Former Employee Data: A Practical Approach

Additional resources

Enhancing Security Awareness to Uplift Security Culture

Enterprises are becoming increasingly aware of advanced phishing and social engineering attacks, recognizing that a strong cybersecurity awareness culture is essential for defending against these sophisticated threats.

Vendor Risk Assessments: Do Organizations Still Need Them?

While it is acceptable and commonplace to have work completed by another vendor based on mutually agreed contracts, the overall management of related risk is a pertinent point of attention.

The author’s experience in the cybersecurity domain has highlighted a fundamental reality: there are commendable aspects, critical gaps, and infinite opportunities for improvement.

One of these areas for improvement has to do with the actions taken when an employee departs from an organization. The moment an employee leaves the organization marks the start of a series of critical actions related to information security and regulatory compliance that frequently goes ignored.

Often underestimated by management, human resources (HR), or IT, the management of accounts, mailboxes, and digital files of former employees represents a significant point of risk if not managed with the robust criteria of lawfulness, privacy, and traceability. However, organizations can implement a practical procedure developed based on the author’s experience in real environments. This procedure, aligned with guidance such as the EU General Data Protection Regulation (GDPR), IT governance standards, and ethical data protection principles can help organizations navigate the process of securely managing former employee data.

What is Off-boarding Security?

Off-boarding security encompasses all of the actions that an organization must take to ensure that sensitive information is not exposed after the departure of an employee. This includes account deactivation, mailbox management, secure file storage, and information retrieval procedures under criteria of necessity and proportionality. This process is critical to avoid information leaks and malpractice, while ensuring regulatory compliance and the development of a business culture oriented toward the protection of information.

Through engaging in the actions outlined, organizations can ensure that the life cycle of a former employee's files, accounts, and permissions is properly managed, something that is often not done correctly and can cause legal, privacy, and regulatory compliance issues if not handled properly.

Account Deactivation

Deactivating the accounts of former employees is an essential step in any secure exit procedure within an organization. This measure ensures that there is no technical possibility of reuse or manipulation of information through former employee accounts. Furthermore, removing these accounts from organizational systems reduces the risk of security breaches, data theft, and misuse of enterprise resources. Deactivation and removal of former employee accounts can strengthen an organization’s digital hygiene as well as ensure compliance with data retention policies and legal obligations such as the GDPR, the US Health Insurance Portability and Accountability Act (HIPAA), Spain’s National Security Scheme (ENS) and so on.¹

Email Mailbox Management

Proper mailbox management during employee offboarding is essential to ensure business continuity, protect privacy, and maintain compliance with regulations, such as the GDPR.² Key actions, such as timely account deactivation, auto-reply configuration, and secure deletion or backup of email data—help avoid major compliance risk for the organization. If neglected, mailbox mismanagement can lead to the exposure of personal data, missed communications, operational disruptions, regulatory fines, and even the loss of critical evidence in legal proceedings. A structured and well-documented process minimizes risk while demonstrating due diligence and responsible data governance.

Organizations can utilize 5 steps to effectively manage former employee email mailboxes:

Step 1—Immediate Access Restriction
After the employee's departure, it will be necessary to change the mailbox password to prevent unauthorized access. This action should be documented with the date and responsible party for the action, for example between IT and HR departments as part of the secure offboarding protocol.

Step 2—Auto-Reply Message and Grace Period
An automatic response should be set up to inform those that message the account that it will be disabled in 30 days. This period allows relevant communications to be redirected to the appropriate parties and ensures operational continuity by avoiding the loss of critical information or business-relevant emails during the transition. The deactivation message serves as a barrier by notifying messengers that the mailbox is no longer active. This discourages colleagues, clients, or third parties from sending emails or attempting to access the mailbox after the employee has departed the organization.

Internally, this process must also be supported by a policy (i.e., “define a maximum retention of 3 months, under the approval of the steering committee”). This approach adheres to the principles of minimization and temporal limitation defined in the GDPR.

Step 3—Secure Mailbox Backup
After the 30-day grace period, the mailbox should be exported to a personal storage table (PST) file or be backed up in the cloud. If a PST file exists, it must be encrypted and stored both on a physical medium (encrypted USB) and in the cloud (encrypted at rest), with limited access granted to personnel who have been authorized by organizational management. These copies should only be kept for as long as legally required by applicable local law (e.g., for legal action or business defense). This backup will function as a preventive measure against possible legal obligations, audits, or operational needs, guaranteeing that specific information can be recovered without keeping the email account active.

Step 4—Access Documentation
The encryption password, storage locations, and custodians must be recorded. This ensures traceability, process auditing, and regulatory compliance. It is not necessary to register the current password for accessing the mailbox, since this password will be changed every time an information search is conducted.

Step 5—Retrieval of Justified Information
If there is a (legitimate) need to retrieve data, a be approved. Some example search terms include:

• Name of a project (“project XYZ”)
• email addresses (“contact@domain.com”)
• specific words or files, (“financial Budget 2024.xlsx”)

When retrieving information, organizations should ensure strict adherence to data privacy rights. Although many enterprise policies may prohibit the personal use of email, such rules are often overlooked, especially those restricting personal use of organizational devices. As a result, employees may store sensitive information on organizational systems. For this reason, organizations must take great care to protect and manage former employees’ data privacy rights during the retrieval process.

Indiscriminate access to the mailbox or PST file must be forbidden, thus ensuring the protection of personal data. Extraction should be conducted by authorized personnel in controlled environments (e.g., browsing in private mode or using computers without associated accounts, temporary VM machines, etc.). This extraction must be documented: the process, the searched words, user access, date, time, etc.

The moment an employee leaves the organization marks the start of a series of critical actions related to information security and regulatory compliance that most of the time no one bothers to check.

Local Archives and Documents Management

All files on the ex-employee's computer should be moved to an encrypted nominal folder with restricted access, hosted on the same external device or cloud storage as the PST document (if it exists), or in a dedicated repository.

Search queries for information in these files must also be governed by a predefined and documented list of keywords, avoiding unjustified mass access.

Once the information has been extracted and after secure deletion and full device sanitation has been applied (complete erase) the physical devices associated with the former employee can be reused.

Retention Periods and Data Deletion

A well-defined data retention and deletion policy is a key component in the secure offboarding of former employees. It ensures compliance with legal requirements, mitigates unnecessary data exposure, and upholds Article 5 of the GDPR and the principle of storage limitation, which mandates that personal data must not be kept longer than necessary for the purposes for which it was collected.³

When an employee leaves the organization, various types of information, such as the employee’s remaining emails, HR records, payroll data, access logs, project documents, etc., may still exist on organizational systems. Retaining this data indefinitely exposes the organization to legal, security, and privacy risk. However, premature deletion can obstruct legal defense, audit readiness, or continuity needs.

To reach the right balance, organizations must implement structured retention schedules based on 3 pillars:

1. Legal requirements—Different jurisdictions impose varying mandates. Organizations must be aware of this evolving legal landscape to best maintain compliance. For example:
   
   • In the European Union, Article 5(1)(e)⁴ of the GDPR mandates that personal data be “kept in a form which permits identification of data subjects for no longer than is necessary.” However, it is up to the organization to determine what is necessary.
   • The General Tax Law (Ley General Tributaria) and Commercial Code (Código de Comercio) in Spain requires the retention of financial and HR data for 4 to 10 years.⁵
   • The Labor Code (Code du Travail) and General Tax Code payroll (Code Général des Impôts) in France requires that contracts, timesheets, etc., must be retained for a minimum period of 5 years.⁶
   • The Fair Labor Standards Act (FLSA) in the United States requires employment records to be retained for at least 3 years, while IRS regulations often require tax records to be kept for 7 years.⁷
   • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada does not mandate specific durations, but requires data be destroyed or anonymized when no longer needed.⁸
2. Operational needs—Some data may be temporarily retained for business continuity reasons, including client handover, knowledge transfer, or pending audits. However, the retention of data must always be fully justified and time bound.
3. Risk and privacy management—Retaining data longer than necessary increases the risk of that data being breached, leading to potential privacy violations. This is especially true for mailboxes with personal emails and personal files that may contain sensitive content.

Applicable local law should be reviewed to establish retention periods for data associated with a former employee. Analyzing the data to be stored, the applicable laws in the country of coverage, and the organization's operational and risk prevention needs will be necessary to establish a specific, customized policy.

While specific laws vary by jurisdiction, figure 1 provides several example retention periods that can serve as a general baseline for organizations establishing or reviewing their data retention policy.

Figure 1—Example Retention Periods

Retention and deletion are not mere formalities, especially for former employees who could also sue the organization for poor practices in managing their information and personal data.

It is the responsibility of the organization to safeguard the organization’s legal standing as well as former employee data, thereby reducing attack surfaces and respecting the privacy rights of former employees.

Conclusion

These actions provide organizations with a realistic, secure, and compliant roadmap for managing the information of former employees. Securely managing former employee data reduces legal risk, ensures privacy, and demonstrates a strong commitment to information governance. The balance between the organization’s needs and fundamental rights must be the guiding principle in any procedure of this type.

Endnotes

¹ GDPR.eu, “General Data Protection Regulation (GDPR)”; U.S. Department of Health and Human Services (HHS), “Summary of the HIPAA Privacy Rule”; Microsoft, “Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures,” 21 March 2025
² GDPR.eu, “How Does the GDPR Affect Email?”
³ Information Commissioners Office (ICO), “Principle (e): Storage Limitation,” United Kingdom
⁴ Intersoft Consulting, “Art. 5 GDPR Principles Relating to Processing of Personal Data”
⁵ State Agency Official State Gazette, Royal Decree of 22 August 1885 Publishing the Commercial Code, Spain; State Agency Official State Gazette, Act No. 58/2003 of 17 December, General Tax, Spain
⁶ Republic French, “Mandatory Information on the Website of an Individual Entrepreneur,” France, 31 July 2023
⁷ U.S Department of Labor (DOL), “Handy Reference Guide to the Fair Labor Standards Act,” U.S Internal Revenue Services (IRS), “How Long Should I Keep Records?,” US
⁸ Office of the Privacy Commissioner of Canada, “PIPEDA Fair Information Principles,” Canada
⁹ European Data Protection Supervisor, “Staff Recruitment,” European Union, 10 October 2008

Alfonso Lopez Moreno, CISM, CDPSE, CEH, CIH, CTIA, ITIL V4, ISO27001 Lead Auditor

Is a senior cybersecurity professional with over 20 years of experience in corporate environments, leading data protection, IT security, and regulatory compliance initiatives in international organizations. His approach combines technical knowledge with a strategic vision focused on information governance and respect for digital privacy. He is passionate about continuous improvement and the creation of practical protocols, he brings a realistic, action-oriented, and risk-oriented perspective based on his direct experience in the sector.