Employee Offboarding Checklist: Everything You Need to Do When Someone Leaves

When someone leaves, that's when the part nobody has organised begins

Onboarding gets a bad reputation in small businesses, but offboarding is far worse. When someone leaves, there's pressure to manage the transition quickly, the team is watching what happens, and in the middle of all that there's a list of things someone needs to do before that person walks out the door.

The problem is that list almost never exists in writing. It lives in the owner's or manager's head, gets improvised every time, and something always gets missed.

And what gets missed is rarely trivial. It's the Slack access that's still active three months later. The company email still receiving messages. The Google account nobody closed. The billing system that's technically still open.

This article gives you the complete list of what needs to happen when an employee leaves — with particular focus on what gets neglected most: digital access and GDPR compliance.

Why offboarding matters more than it seems

There's an obvious reason to handle offboarding properly: business continuity. Recover the laptop, run the exit interview, redistribute tasks. Everyone understands that part.

But there are two reasons that small businesses routinely overlook — and that are potentially far more serious.

1. Unrevoked access is a real security risk

When an employee leaves, how many tools do they have access to? Email, Slack, Notion, Google Drive, Trello, the booking system, the billing dashboard, the company WhatsApp group, the Instagram account. In a team of ten, the list typically has between eight and fifteen applications.

If access isn't revoked systematically, some stays active indefinitely. Not because anyone means harm — simply because nobody had a list of what needed to be closed.

2. GDPR requires you to manage the employee's data when they leave

When an employee leaves, GDPR sets specific obligations about what to do with their personal data. You can't keep it indefinitely. There are retention limits, employee rights (access, rectification, erasure), and documentation you'll need to produce if there's ever an audit or a complaint.

Ignoring this isn't just an administrative oversight — it's a compliance failure with real legal consequences.

Complete offboarding checklist

This list covers every step of a properly handled offboarding. Not every item applies to every situation — adapt it to your business and sector.

When the departure is confirmed

1. ☐ Record the last working day
2. ☐ Notify the team with enough lead time
3. ☐ Decide who takes over the departing employee's responsibilities
4. ☐ Plan the knowledge transfer: documents, contacts, ongoing projects
5. ☐ Calculate outstanding holiday and prepare the final settlement
6. ☐ Agree on the notice period and departure terms

Knowledge transfer (before the last day)

1. ☐ Document the processes that person managed
2. ☐ Transfer key contacts (clients, suppliers, external collaborators)
3. ☐ Hand over ongoing projects with current status
4. ☐ Identify any passwords or access credentials only they knew
5. ☐ Set up email forwarding to their successor or manager
6. ☐ Exit interview: what went well, what they'd improve, why they're leaving

Asset recovery

1. ☐ Company laptop or devices
2. ☐ Office key card or keys
3. ☐ Corporate credit card
4. ☐ Any equipment, workwear, or role-specific materials

Digital access revocation — the most critical part

This is the block that most often gets left incomplete. Work through it systematically, with a full list of every tool that person had access to.

1. ☐ Company email account (deactivate, don't delete — set up forwarding first)
2. ☐ Google Workspace or Microsoft 365: Drive, Calendar, shared documents
3. ☐ Slack or other internal communication tools
4. ☐ Project management tools (Notion, Trello, Asana, ClickUp…)
5. ☐ Billing or accounting system
6. ☐ CRM or sales tools
7. ☐ Team password manager (1Password, Bitwarden…): revoke access and rotate any shared passwords they knew
8. ☐ Code repositories (GitHub, GitLab…)
9. ☐ Design tools (Figma, Canva…)
10. ☐ Company social media accounts they had access to
11. ☐ Booking systems, POS, or sector-specific software
12. ☐ Server or infrastructure access (if applicable)
13. ☐ Third-party accounts managed on behalf of the company (Google Ads, Meta, etc.)
14. ☐ WhatsApp, Telegram, or other team messaging groups

Important: every revocation should be logged — who did it and when. If there's ever a complaint or audit, you need to be able to demonstrate that access was closed.

Documentation and GDPR

1. ☐ Retain the employee file for the legally required period (varies by country — check local employment law)
2. ☐ Document which personal data is being retained and for how long
3. ☐ Inform the employee of their data rights (access, rectification, erasure)
4. ☐ If the employee requests erasure: anonymise their data while preserving the audit trail required by law
5. ☐ Complete payroll processing and deregister from social security (if applicable in your country)
6. ☐ Issue the employment certificate or reference letter

Administrative close

1. ☐ Final settlement signed by both parties
2. ☐ Update the org chart and internal documentation
3. ☐ Reassign any software subscriptions or licences in their name
4. ☐ Confirm no outstanding payments in either direction
5. ☐ Formal close of the offboarding process: all steps completed and logged

The most common mistake: running offboarding from memory

In small teams, offboarding happens when it has to — under pressure, with the team unsettled and a dozen other things going on at the same time. In those conditions, working from memory guarantees something will be missed.

The fix isn't complicated: have the list in writing, assign each task to a specific person, and log when it's done. The first time you set it up takes an afternoon. After that, every departure is just running what you already have.

What doesn't work is rebuilding the process from scratch every time someone leaves, or relying on the manager on duty to remember everything.

Adapting the process by industry

Hospitality and food service

Turnover is high and departures are frequent. The focus should be on shift management system access, team messaging groups, and any shared credentials for the venue (alarm, till, booking accounts). A streamlined template that any shift manager can run in twenty minutes is more valuable than a thorough process nobody has time to follow.

Retail

Prioritise revoking access to the POS system, inventory management, and supplier accounts. If the employee had access to company social media, change those passwords on the day they leave.

Services and tech teams

The access list here is longer and more technical. GitHub, servers, CI/CD pipelines, monitoring tools, cloud accounts. Every unrevoked access is a risk vector. Revocation needs to be immediate, and the record of who had access to what needs to exist from day one — not be reconstructed after the fact when it's already too late.

How to tell if your offboarding process has gaps

Ask yourself these questions about the last person who left your company:

1. Do you know exactly how many tools they had access to?
2. Can you confirm all of those accesses have been revoked?
3. Do you have a log of who revoked each one and when?
4. Do you know which of their personal data you still hold and for how long?

If any answer is "no" or "I'm not sure", there's a gap in the process.

When the team grows, manual offboarding starts breaking down

With three or four people, a checklist in a Google Doc can work. When the team reaches ten or fifteen, or when turnover is frequent, managing offboarding manually starts generating systemic errors — not because nobody wants to do it right, but because there are too many moving parts to coordinate without a tool holding it together.

Klibio manages the offboarding process end to end: it logs every access granted to each employee from the moment they join, automatically generates the revocation checklist when offboarding starts, notifies each responsible person when it's their turn to act, and keeps an immutable record of who did what and when. All without needing an HR team.

Try Klibio free for 14 days — no credit card required.

Frequently asked questions

How quickly do I need to revoke access when an employee leaves?

There's no fixed legal deadline for access revocation, but GDPR's data minimisation principle means access should be closed as soon as it's no longer needed — that is, on the day of departure or before. Leaving it until later increases the risk of an incident and makes it harder to defend against a potential complaint.

Is the process the same whether someone resigns or is dismissed?

The access revocation and data management steps are the same in both cases. The difference may be in the internal timeline — in a dismissal, you may want to act faster on certain steps — and in the exit interview, which makes more sense when the departure is voluntary.

What if the departing employee was the only one managing a tool?

This is one of the most common real risks in small businesses: one person who holds the credentials for an account or is the sole admin for a tool. The solution is not to reach that situation in the first place — which requires logging who has access to what from the start. If you're already there, act before the last day: recover the access, create an alternative admin account, or transfer account ownership while they're still available.

How long do I need to keep the employee's data?

Retention requirements vary by country and data type. In most EU jurisdictions, employment records (contracts, payslips, payroll history) must be kept for several years to satisfy potential labour or tax inspections. Personal data without a legal basis for continued processing should be deleted or anonymised once it's no longer necessary. In practice, the standard approach is to retain the full employment file for the legally required period, then anonymise any sensitive personal data once that window closes.