Most companies have an offboarding checklist. It lives in a shared Google Doc or a Notion page. It has a column for IT tasks and a column for HR tasks. It was created by someone who left the company eighteen months ago and has not been reviewed since.
When someone resigns, the checklist is found, skimmed, and partially completed. The access revocation happens on time. The device return email gets sent. The device itself may or may not come back.
This is not an offboarding process. It is a list of intentions.
An actual offboarding process is a sequence of events with clear owners, defined timelines, automatic triggers where possible, and a documented outcome for every step. For distributed teams - where departing employees are in different countries, using different carriers, subject to different employment laws - the process design matters significantly more than it does for a single-office company.
This guide covers how to build one that works.
Why offboarding is an IT problem, not just an HR problem
Most companies treat offboarding as an HR function. And most of the employee-facing elements of offboarding - exit interviews, final pay, reference arrangements - are correctly HR's responsibility.
But the IT dimension of offboarding is a distinct operational and security process that HR cannot own alone. It involves:
Access revocation across every system the employee used, in the right sequence, at the right time.
Device retrieval from wherever the employee is physically located, which for a distributed team could be anywhere.
Data handling - ensuring company data on the device is securely wiped, that files the employee owns are returned to the company, and that shared account credentials are changed.
Asset documentation - recording the outcome of the offboarding in the asset management system, closing the loop on the device's assignment record.
Each of these is an IT function. Each has security and compliance implications if done incorrectly or not at all.
The four components of an IT offboarding process
A working IT offboarding process has four components that must all function reliably: access revocation, device retrieval, data handling, and documentation. Most companies handle at least two of these reasonably well. The failures cluster in device retrieval and documentation.
Component 1: Access revocation
Access revocation needs to happen on a defined timeline relative to the last day. The standard approach:
On the last day, at the end of business: disable the identity provider account (Okta, Azure AD, Google Workspace, or equivalent). This cascades to all SSO-connected applications automatically.
On the same day: manually revoke access to any systems not covered by SSO. This requires a known list of non-SSO applications - which is why an application audit is valuable before you need it rather than during an offboarding.
Within 24 hours: change passwords on any shared accounts the employee had access to. Update ownership of tools, documents, or accounts the employee was the primary owner of. Reassign their email and set an auto-response for external contacts.
The timing question that most companies get wrong: when to revoke access relative to the last working hour. Revoking access at 9am on the last day means the employee cannot work for their final day. Revoking access at 5pm on the last day is the standard. For involuntary departures - terminations rather than resignations - immediate revocation on notice is appropriate.
Component 2: Device retrieval
Device retrieval is the component most likely to fail, particularly for distributed teams.
The reasons are covered in depth in our guide on how to recover laptops from remote employees when they resign. The summary: the process fails when it puts the logistics burden on a departing employee who is no longer motivated to manage it.
The process design that works:
Trigger at resignation, not at last day. The moment a resignation is received, IT is notified and the return process begins. Not when the employee is packing up their desk.
Return kit dispatched within 48 hours of resignation. The return kit is a pre-packaged box with tested transit packaging, a pre-printed return label, and clear instructions. It arrives at the employee's home before their last day.
Clear deadline communicated by HR, not IT. "The return kit will arrive by [date]. Please send it back by [date] - just drop it at the nearest collection point, it takes about ten minutes." The deadline is specific. The process is simple.
One follow-up at 3 days after the deadline. Not five emails. One clear, practical follow-up from HR: "We noticed the return kit has not come back yet. Is there anything we can help with?"
For international employees, the return kit must account for customs requirements. A return from the Netherlands to Estonia is an intra-EU move with no customs complications. A return from the UK to Estonia requires customs documentation. A return from the US requires a full commercial invoice and may attract import duties. Raal handles all of this as part of the return kit process - IT places the order, the customs layer is managed, and the device comes back regardless of where the employee is.
Component 3: Data handling
Data handling in offboarding has two elements: what happens to data on the device, and what happens to data the employee had access to in cloud systems.
For the device: once it is physically returned, it must be wiped before any other use. Not factory reset - wiped to NIST 800-88 standard. For solid-state drives, cryptographic erasure is the appropriate method. A certificate of data destruction should be issued and retained for GDPR audit purposes.
For cloud data: the employee's accounts should be preserved for a defined period after departure - typically 30 to 90 days - to allow for business continuity (retrieving files, responding to client questions, reviewing project history) before being permanently deleted. The exact period should be defined in policy and applied consistently.
One practical gap that often goes unaddressed: personal data the employee stored on company systems. Under GDPR, employees have rights over their personal data even when it is stored on company infrastructure. A reasonable offboarding practice is to give the employee an opportunity to retrieve or delete personal files before account closure. This is both good GDPR practice and reduces the risk of a data subject access request post-departure.
Component 4: Documentation
Documentation is the step most likely to be skipped and the one that causes the most problems in retrospect.
After every offboarding, the following should be recorded:
Device outcome: returned, wiped, and reassigned; returned and retired; not returned (with steps taken to recover or remotely wipe); or written off.
Access revocation: confirmation that all systems have been revoked, with a timestamp.
Data handling: confirmation that the device was wiped to standard, with certificate reference; and the disposition of cloud data.
This documentation serves three purposes. First, it closes the asset management loop - you know the state of every device. Second, it provides the audit trail needed for GDPR compliance. Third, it is the evidence you need if a departing employee later claims they returned a device they did not, or disputes any aspect of the offboarding.
Building the trigger system
A process that requires manual initiation by the right person, at the right time, every time, will fail under normal operational pressure. The most reliable improvement to any offboarding process is making the trigger automatic.
The minimum viable trigger: when HR marks an employee as resigned in the HR system, an automatic notification goes to IT with the employee's name, location, last day, and device assignment details. IT does not need to check the HR system manually, or wait for an email from HR, or find out when they happen to notice the employee's account has been deactivated.
Better: when the employee is marked as resigned, the return kit order is automatically initiated in the device operations system, with the delivery address pre-populated from the HR record.
Better still: the HRIS, the device management platform, and the identity provider are connected so that offboarding in one system propagates to the others automatically. This is the architecture that eliminates most offboarding failures - but it requires integration work that not every company has the resources to build.
For most growing companies, the minimum viable trigger - an automatic notification from HR system to IT on resignation - is achievable quickly and eliminates the most common failure point.
The international complexity
For distributed teams, the offboarding process design needs to account for country-specific employment law requirements, not just logistics.
Germany is the most relevant example for European companies. German employment law gives employees significant protections, and device return obligations need to be documented clearly in employment contracts to be enforceable. A poorly worded return policy that was not in the original contract may be unenforceable in a German labour court context.
Netherlands employment law is more straightforward on device return, but notice periods are longer, which actually helps - there is more time to complete the retrieval process before the employee leaves.
UK employment law post-Brexit is its own category. The UK is no longer part of EU employment frameworks, and UK GDPR applies alongside EU GDPR for companies with employees in both regions. For device returns crossing the EU-UK border, customs documentation is required in both directions. Plan for this in the return kit process.
For country-specific guidance on the most complex customs situations for device returns, see our guide to moving IT devices across borders.
The role of a device operations partner
For a company with employees in one country doing 10 offboardings per year, the process above is entirely manageable in-house with a clear playbook.
For a company with employees in 8 countries doing 50 offboardings per year - a common profile at a scale-up with a growing global team - the in-house process requires a part-time logistics coordinator who understands customs requirements in each relevant country pair, has relationships with carriers in each market, and can source appropriate return packaging on demand.
That is a specific skillset that most IT and HR teams do not have, and should not need to develop.
A device operations partner handles the retrieval logistics layer entirely. IT initiates the return kit order. The partner manages the packaging, the carrier, the customs documentation for cross-border returns, and the tracking. IT gets confirmation when the device arrives. The process is the same whether the employee is in Tallinn or Tokyo.
This is the model that makes a globally consistent offboarding process achievable for a team of any size.
FAQ
When should the IT offboarding process start - at resignation or at the last day? At resignation. The window to engage a departing employee effectively is short and closes quickly after the last day. Device return, data transitions, and knowledge transfer all benefit from being initiated as soon as the resignation is received, not the day the employee leaves.
What is the correct sequence for access revocation? Disable the identity provider account first - this cascades to all SSO-connected applications. Then manually revoke access to non-SSO systems. Change passwords on shared accounts. Reassign ownership of tools and documents. The entire sequence should happen on or before the last working day.
How long should we retain a departed employee's cloud data before deleting it? 30 to 90 days is the typical range, depending on the role and the business continuity risk. Define the period in policy and apply it consistently. The GDPR consideration is that the data should not be retained longer than necessary - an open-ended "just in case" retention approach creates more risk than it mitigates.
What if the employee refuses to return the device? Initiate a remote wipe via MDM immediately if the device is enrolled. Send a formal written request confirming the legal obligation to return company property. Document all steps taken. For high-value devices or situations involving sensitive data, seek legal advice on enforcement in the relevant jurisdiction. For Germany specifically, consult employment legal advice early - German employment law context makes enforcement options different from most other European countries.
How do we handle offboarding for employees in countries with complex customs requirements? The return kit process needs to account for the customs requirements of the return route. A device returning from the UK to an EU country requires commercial documentation. A device returning from outside Europe may attract import duties. The simplest solution is a device operations partner who handles the customs layer as part of the return kit service, so IT does not need to manage this per-country.
