More than half of UK employees retain access to company spreadsheets they no longer need, leaving sensitive business data exposed long after people change roles or leave organisations, according to new research from privacy technology company Proton.
The study, based on a survey of 250 small and medium-sized businesses (SMB) in the UK, found that 64% still had access to files that should no longer be available to them. In some cases, this includes documents containing financial information, client data, salary details, or internal planning material.
With around 16.9 million people working for SMBs across the UK, the findings suggest that millions of current and former employees could still have access to sensitive company data without their employers’ knowledge.
The research highlights a growing gap between the critical role spreadsheets play in daily business operations and the poor governance of their access. Spreadsheets are now widely used as informal systems of record, with 64% of respondents using them for project management, 47% for financial reporting, and 45% for managing client or customer data.
Despite this reliance, access controls remain weak. Nearly four in ten respondents (39%) said they had shared spreadsheets using “anyone with the link” permissions, while 20% said they only review who has access to their spreadsheets once a year. Manual offboarding processes remain common: 44% of access removals are handled manually, while just 36% are automated.
Proton says this combination of link-based sharing and manual offboarding helps explain why access often persists long after an employee leaves.
“Spreadsheets are often treasure troves of sensitive data, from financial and strategic planning information to HR and client data,” said Patricia Egger, head of security at Proton. “Yet they’re not handled like other high-risk data. When someone leaves a company, access to shared spreadsheets is often nobody’s problem. Links stay active, permissions aren’t reviewed, and data remains accessible without anyone noticing.”
Confusion over cloud security and data use
The study also found widespread misunderstanding about how secure cloud-based spreadsheets really are. Two-thirds of respondents (67%) believe their Google Sheets files are private and accessible only to intended viewers, while almost a quarter said they were unsure what information Google can or cannot access.
There is similar uncertainty around encryption and provider access, particularly with Microsoft. Almost a quarter of UK respondents said they were unsure whether Microsoft could view spreadsheet content.
Uncertainty also extends to data use. More than a third (34%) of respondents believe spreadsheet data could be used to train AI models, and 84% said they would find that concerning.
Personal and work accounts are being mixed
Nearly half of respondents (45%) admitted to opening work spreadsheets using personal cloud accounts, while 46% said they had accessed personal spreadsheets using work accounts. Security researchers warn that this blurring of personal and professional data increases the risk of accidental data leakage, unauthorised access, and compliance failures, particularly where sensitive financial or customer data is involved.
The UK is among the most spreadsheet-reliant countries
Proton compared its UK findings with results from other countries, including the US and France. While lingering access in the UK (64%) was slightly lower than in the US (67%), it was significantly higher than in France (40%).
The UK also showed the highest levels of uncertainty about provider access and encryption, particularly for Microsoft-hosted spreadsheets. Proton noted that these risks are amplified by European data sovereignty concerns, as data hosted by foreign cloud providers may fall under legal regimes outside a company’s control.
Everyday tools, enterprise-level risk
The findings point to a broader problem: spreadsheets are increasingly used to run core business processes, but without the governance, visibility, or controls normally applied to more formal business systems. Researchers say this creates a growing blind spot for SMBs, particularly as collaboration tools, consumer cloud accounts, and AI services become more deeply embedded in everyday work.
“Most of these risks don’t come from malicious behaviour,” Egger added. “They come from everyday process gaps; manual offboarding, weak defaults, and a lack of visibility into who can still access what.”
