Onboarding and data protection educationUnsurprisingly, good off-boarding begins with good onboarding and training regarding the General Data Protection Regulation. If your employees handle personal data your responsible to make sure they understand the GDPR, so they can make sure they are complying with it. Furthermore, your organisation should have their own it’s own internal data protection policies which they’re familiar with and have agreed to follow.
Good data protection policies and proceduresThe best way to protect against an employee taking data when they depart is by making sure you have effective controls in place. You should be considering the following:
- Have visibility on personal corporate data. Have a data inventory so you know where all the data might be stored.
- Limiting employee access. Each employee should only have access to personal data by role and function – so it’s clear what each employee has access to.
- Encrypt data in-transit and at-rest. By protecting personal data with good authentication not only do you secure it from unauthorized parties you’re also logging each time it is being accessed by authorized parties.
- Manage devices properly. All applications should be enterprise approved, not store data locally and in the event that it is allow for it to be remotely wiped.
- Have good back up in place.
- Make sure employees have signed your data protection policy and include it along with confidentiality provisions in your employment contracts.
Off-boarding plan – the data protection component.You should have a documented off-boarding policy that details all of the offboarding events and who is responsible for them. You’ll want to make sure it consists of the following elements:
- Disabling access to email
- Remove all rights and disabling access to all applications
- Disabling company owned mobile devices
- Deleting and wiping company personal data on any employee owned mobile devices
- Deleting data that might have been used by departing employee
- Monitoring access in weeks before and post-employment for suspicious activity
- Give managers access to employees content archives
- Have them sign a document indicating they have returned all corporate personal data assets and haven’t retained any company data.
 https://www.darkreading.com/vulnerabilities—threats/survey-when-leaving-company-most-insiders-take-data-they-created/d/d-id/1323677 or https://hiring.monster.co.uk/hr/hr-best-practices/workforce-management/employee-retention-strategies/what-is-the-ideal-employee-turnover-rate.aspx and for US: https://www.bls.gov/news.release/tenure.nr0.htm