Home Business Risks Access Risk
Access Risk

Could A Former Employee Still Access Company Data?

When employees leave, their access to company systems is not always removed quickly - or at all. Former staff retaining active accounts is one of the most common access risks inside South African organisations.

2
What This Looks Like In Practice

"Six months after a sales manager leaves your business, an IT flag shows an unusual login to your CRM system at 11pm on a Sunday. Investigation reveals it is the former employee's account - it was never deactivated. That account had access to your full client list, account history and contact details for every customer the business has worked with over four years."

3
Potential Consequences
Former employee with ongoing access to your full client list and account history
High competitive risk if the person has moved to a competitor
POPIA risk: continued access to personal information without authorisation
No way to determine what was accessed or downloaded during the gap period
Potential legal exposure depending on what the former employee does with the access
4
Questions Management Should Ask
?
When did management last review which current and former employees have active accounts across all business systems?
?
Is there a formal off-boarding checklist that includes IT access deactivation?
?
Does your business use shared accounts or group passwords that departing staff would still know?
?
How would you know if a former employee logged in to a company system today?
5
The Technical Side

Identity lifecycle management governs how user accounts are created, maintained and deactivated. Most SME environments lack formal identity governance tools, but Microsoft 365, Google Workspace and most SaaS platforms provide equivalent capability through native user management - it simply needs to be used systematically. Under POPIA's security safeguards condition, maintaining active accounts for former employees constitutes a failure of reasonable organisational security measures. An access review is a non-technical control: it requires only a list of active accounts compared against current staff, something any IT service provider or internal administrator can produce in minutes.

6
Practical Steps to Improve Visibility
1
Conduct an immediate access audit: ask your IT support to list all active user accounts across every system your business uses
2
Compare that list against your current staff list and deactivate all accounts that don't match a current employee
3
Create a formal off-boarding checklist that includes IT access deactivation on or before the employee's last working day
4
Review and rotate any shared passwords or group credentials that departing employees would have known
5
Schedule a quarterly access review as a standing management item - active accounts should match current staff
Section 7 - Assessment
Find Out Where Your Business Stands

ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used.

Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.

Start Your Risk Assessment Download Free Checklist
From R750 • Delivered online • No commitment required
Related Risks
Payroll & HR Risk
How Many People Have Access To Payroll Information?
Read more →
Human Risk
Could One Employee Mistake Create A Serious Problem?
Read more →
Information Visibility
Would You Know If Sensitive Information Left Your Business?
Read more →
← View all common business risks