Starters Process


  • Conduct background checks and verify the identity of new employees, where relevant and permissible by law;
  • Ensure that employment contracts include clauses addressing confidentiality, data protection and compliance with relevant security policies.


  • Provide new employees with comprehensive induction training that covers UK GDPR and UK Cyber Essentials requirements.
  • Ensure new employees read, understand, and sign a confidentiality agreement and an acceptable use policy.
  • Grant access to systems, applications and data based on the principle of least privilege, only allowing access to the information necessary for their role.
  • Provide new employees with unique login credentials and enforce the use of strong, unique passwords.
  • Provide relevant training on secure data handling, password management and phishing awareness.

Movers Process:

Role Changes:

  • Regularly review and update access rights when employees change roles or departments.
  • Revoke unnecessary access and privileges when an employee’s role changes.
  • Update the employee’s information in relevant systems and directories.
  • Provide additional training and support for employees moving to roles with increased security responsibilities.

Leavers Process:


  • Inform relevant departments (e.g., IT, HR) about the departure of an employee and the termination date.
  • Disable and/or delete the departing employee’s accounts, access rights and login credentials for all systems, applications, and data.
  • Collect any physical access tokens (e.g., ID cards, key cards) and organisation-owned devices (e.g., laptops, smartphones).
  • Conduct an exit interview, emphasising the importance of maintaining confidentiality even after employment termination.


  • Regularly monitor for unauthorised access attempts by former employees.
  • Maintain contact details for former employees in case of any data breach or incident that requires their involvement.
  • Ensure that all ex-employees’ data is retained, archived or deleted in accordance with the organisation’s data retention policies and GDPR requirements.