Google Workspace Training | Admin

Google Workspace: Maintain data security of a terminated employee

For organizations using Google Workspace, employee turnover can be a concern for both an HR manager and an IT admin. If you perform the offboarding procedure incorrectly, it can cause a data loss or data leak with unwanted consequences.

As your organization’s administrator, keep your organization’s Google Workspace data safe and secure when a user leaves by completing the following best practices:

Best Practices for Offboarding Employee

  1. Reset a user password

    This can greatly reduce the risk of unauthorized access to their old account.

  2. Revoke password recovery access

    After you reset the password, make sure the user won’t be able to reset it themselves in the future and block them from signing in to their Google Workspace account.

  3. Set up mail forwarding

    Before you delete the ex-employee account, create an alias, or notify their email contacts that they’re no longer available, you should set up email forwarding. By doing so, you preserve all the important connections for future use. It enables business partners and clients can continue contacting your company using a former employee’s old email address.

    Note: after you remove the license and/or delete the account, these options won’t work.

  4. Revoke authorized applications

    Changing a user’s password also revokes OAuth 2.0 tokens issued for accessing certain products. Review all authorized access and revoke any other authorized applications.

  5. Wipe corporate data from a device

    Use the Admin console to remotely remove data from the user’s device. You can remote wipe the entire device or only erase your organization’s data.

  6. Reset the user’s sign-in cookies

    This also reduces the risk of unauthorized access.

  7. Revoke security keys and app password access

    Revoke any security keys or application-specific passwords that have been granted access to the user’s account.

  8. Preserve data

    You most likely need to preserve business-critical data for compliance, legal, or business continuity reasons. Maintaining a licensed account is possible, yet it costs money. Archiving is the way to preserve data without paying a monthly license fee. There are different ways to accomplish this:

    Archive account
    Export data

  9. Delete or remove a user from your organization

    After performing all the steps above, delete their account completely. This is the best way to ensure they can’t access your organization’s data.

    Important:

    • Check with your legal and/or HR department to ensure deleting an account is allowed under your compliance and retention policies.
    • Don’t delete the account if you want to maintain email forwarding.

  10. Add an alias to another account

    The best way to preserve a former employee’s email address, without maintaining their licensed account, is to create an email alias. An alias is an additional email address for an existing account and associated cloud storage. Note that a user can be assigned with more than one alias.