Essential HR Policies for UK Small Businesses: A 2026 Guide

What UK law actually requires

A common misconception is that UK employment law mandates a long written policy set for every employer. It doesn't. The statutory floor is narrow; the expected floor — what tribunals, insurers and investors look at — is much higher. It's worth knowing the difference, because the consequences of missing one versus the other are different.

Statutorily required in writing. A written health and safety policy is required once you employ five or more people under section 2(3) of the Health and Safety at Work etc Act 1974. A written statement of employment particulars, covering pay, hours, holiday, notice and grievance/disciplinary rules, is required on or before the first day of employment under section 1 of the Employment Rights Act 1996 as amended in 2020. Registration with the Information Commissioner's Office is required for most employers that process personal data, at Tier 1 fees of £52 per year as of 2026. These are hard floors; missing them is an enforcement matter.

Statutorily expected but not technically mandatory. A disciplinary and grievance procedure is not, strictly, statutorily mandatory, but the ACAS Code of Practice on Disciplinary and Grievance Procedures is a statutory code under section 207 of the Trade Union and Labour Relations (Consolidation) Act 1992. Section 207A of the same Act permits a tribunal to uplift any award by up to 25% where an employer has unreasonably failed to comply. In practice this means having a written, compliant procedure is not optional for any employer who wants to be able to dismiss or discipline lawfully. The same applies to a written equal opportunities and anti-harassment policy, which is part of the evidence a tribunal will examine when assessing whether an employer took reasonable steps to prevent discrimination under section 109 of the Equality Act 2010, and more recently to establish compliance with the new preventative duty on sexual harassment that came into force on 26 October 2024 under the Worker Protection (Amendment of Equality Act 2010) Act 2023.

Contractually and commercially expected. Employers' liability and cyber insurers routinely ask for written policies during renewal; public-sector tenders list them as conditions; investors ask for them in due diligence; enterprise customers ask for a DPA and supporting policies. These are not legal requirements but they are hard commercial gates.

The ten essential HR policies for a UK small business

The following ten cover the statutory and strongly-expected ground for a business of up to around 50 employees in most sectors. Beyond 50 employees, additional policies become relevant (see “What you can skip at first,” below).

1. Disciplinary policy

Sets out the standards of conduct and performance expected, the procedure for investigating and addressing breaches, and the range of outcomes (from informal discussion through written warning to dismissal). Must align to the ACAS Code: the employee must be informed of the concern in writing, have the opportunity to respond at a hearing, be accompanied by a colleague or trade union representative, and have a right of appeal. Without this procedure, any dismissal is at high risk of being found unfair at tribunal under section 98 of the Employment Rights Act 1996. The policy should also address summary dismissal for gross misconduct with a non-exhaustive list of examples.

2. Grievance policy

The counterpart procedure: how an employee formally raises a concern about treatment, working conditions, or a colleague's behaviour. Same ACAS Code principles apply — written submission, hearing, accompanied by a representative, written outcome, right of appeal. A grievance policy also serves as the channel for raising discrimination and harassment complaints, which connects directly to the anti-harassment policy below.

3. Equal opportunities policy

Establishes the organisation's commitment to non-discrimination on the nine protected characteristics in section 4 of the Equality Act 2010: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation. Covers recruitment, terms and conditions, promotion, training, and termination. Its practical effect is evidentiary: when an employer is accused of discrimination under sections 13 (direct), 19 (indirect), 26 (harassment) or 27 (victimisation), having a written, communicated and trained-on policy forms part of the “all reasonable steps” defence under section 109(4).

4. Anti-harassment and anti-bullying policy

In practice this is often combined with the equal opportunities policy, but since October 2024 it carries additional weight because of the Worker Protection (Amendment of Equality Act 2010) Act 2023. The new section 40A imposes a positive duty on employers to take reasonable steps to prevent sexual harassment of employees, enforceable by the Equality and Human Rights Commission and giving tribunals a 25% award uplift for breach. A standalone or clearly-demarcated anti-harassment policy, with a named reporting channel and evidence of training, is the minimum defensible posture.

5. Health and safety policy

Statutorily required in writing at five or more employees (HSWA 1974 s.2(3)). Must describe the organisation's general policy on health and safety, the organisation and arrangements in force for carrying it out, and be brought to the notice of all employees. At small headcount this is typically a three- to five-page document covering responsibilities (directors, managers, employees), risk assessment approach, accident reporting (RIDDOR), first aid, fire safety, and ergonomic arrangements (especially for remote or hybrid workers under the Health and Safety (Display Screen Equipment) Regulations 1992).

6. Data protection policy

Describes how the organisation processes personal data under the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) and the Data (Use and Access) Act 2025. Covers lawful bases under Article 6, special categories under Article 9, data subject rights (access, rectification, erasure, restriction, portability, objection), retention, international transfers, and breach response. Employees are both data subjects (their HR data) and data processors (when handling customer data) — the policy has to address both. This is the policy insurers and enterprise customers ask for most frequently.

7. Sickness absence policy

Sets out notification requirements (when and how to call in sick), self-certification (up to seven days), fit notes (after seven days, issued under the Social Security (Medical Evidence) Regulations 1976 as amended), statutory sick pay (SSP) arrangements under the Social Security Contributions and Benefits Act 1992, and the procedure for managing long-term absence, including reasonable adjustments under section 20 of the Equality Act 2010 where the absence is disability-related. The policy should also address return-to-work interviews and the Bradford Factor or equivalent trigger thresholds for short-term absence review.

8. Leave and working time policy

Covers the statutory minimum 5.6 weeks' paid annual leave under regulation 13 and 13A of the Working Time Regulations 1998 (including how leave is accrued, carried over, paid on termination and — since Harpur Trust v Brazel [2022] UKSC 21 — how it is calculated for part-year workers). Maternity, paternity, shared parental, parental, bereavement, and carer's leave entitlements (the last added by the Carer's Leave Act 2023, in force April 2024). Flexible working requests under the Employment Relations (Flexible Working) Act 2023, which since April 2024 is a day-one right and permits two requests per year with a decision within two months. Working time limits (48-hour week, daily and weekly rest, night work) and the opt-out process.

9. Acceptable use (IT) policy

Governs the use of company devices, email, internet, messaging, cloud services and (increasingly) generative-AI tools. Sets the line between acceptable personal use and misuse, covers the monitoring the organisation conducts and its lawful basis (typically legitimate interest under UK GDPR Article 6(1)(f), subject to the proportionality test), addresses password and authentication hygiene, and prohibits uploading confidential data to unapproved third-party tools. This policy is increasingly important for data protection compliance because accidental leakage through consumer AI tools is now the largest single driver of small-business data breach incidents reported to the ICO.

10. Whistleblowing (public interest disclosure) policy

Establishes the channel by which an employee can raise a serious concern about wrongdoing, and confirms the statutory protection against detriment or dismissal under Part IVA and section 103A of the Employment Rights Act 1996 as amended by the Public Interest Disclosure Act 1998. Required in substance for regulated sectors (FCA-authorised firms must have one under SYSC 18), and strongly expected for anyone pursuing enterprise customers or public-sector contracts. Without it, a worker who raises a concern externally has fewer procedural alternatives, and the employer loses the defence of “we had an internal channel you bypassed.”

What you can skip (at first)

The following are commonly listed as “essential” but in reality become relevant only as you grow or enter specific sectors. Deferring them until they are needed is a defensible decision, provided you document why.

• Remote-working and BYOD policies — important once any employee uses personal devices for work or works from home regularly. Likely essential for any hybrid team.
• Social media policy — essential once you have public-facing brand risk, typically when marketing or customer-support roles are hired.
• Drug and alcohol policy — essential for safety-critical roles (driving, machinery) and regulated sectors; optional for typical office roles at small scale.
• Anti-bribery and corruption policy — statutorily mandatory only for organisations within scope of the Bribery Act 2010 section 7 “failure to prevent” offence, but strongly expected for anyone dealing with public bodies.
• Modern slavery statement — only required by section 54 of the Modern Slavery Act 2015 for commercial organisations with turnover of £36 million or more. Optional below that threshold.
• Gender pay gap reporting — only for employers with 250 or more employees on the snapshot date under the Equality Act 2010 (Gender Pay Gap Information) Regulations 2017.

Employee handbook or standalone policies?

Both work. The practical choice depends on how you onboard employees and how you update the documents.

Handbook. All policies are collected into a single document, usually issued as part of induction alongside the employment contract. Advantages: simpler to distribute and acknowledge (one signature covers all), easier to reference in the employment contract, cheaper to produce. Disadvantages: every policy update is a handbook reissue, which is heavy; individual policies are harder to extract for tender or insurance responses.

Standalone. Each policy is its own document, referenced collectively in the employment contract (“the policies in force from time to time, available at [location]”). Advantages: individual policies can be updated without reissuing everything; easier to share a specific policy externally; cleaner governance of version control. Disadvantages: more surface area for inconsistency (tone, defined terms, numbering); requires a central register or policy-management tool to track acknowledgements.

For small businesses below about 30 employees, a handbook is usually the simpler choice. Above that headcount, standalone policies with a policy-management platform typically scale better, particularly if your sector is inspected or audited. PolicySuite generates either format, and most customers start as a handbook and split later.

Writing them yourself versus buying them

The cost ranges widely and the quality does too.

Writing from scratch is feasible if you have employment law knowledge, time, and access to current statute and case law. Realistically, a good full set takes a capable person 30–50 hours, and the result depends heavily on currency — the ACAS Code is periodically revised, Equality Act duties change (as in October 2024), flexible-working rules change (as in April 2024), data-protection statute changes (as with the Data (Use and Access) Act 2025). Most small businesses that try this end up with a partial, dated set.

A high-street employment solicitor will charge £1,200–£2,500 for a full set. An HR consultant charges £800–£1,500. Both produce good work but rarely reuse it for subsequent customers, so you pay bespoke rates for what is largely a solved problem.

Generic templates are freely available online or from legal-document sites at £30–£100 per policy. Most are US-origin or pre-2023 UK, and the compliance value at tribunal is close to zero. They can work as a starting point if you have the knowledge to update them; as a finished product they are a false economy.

A bespoke policy pack — the PolicySuite approach — is written against current UK law, adapted to your sector, headcount and jurisdiction, and typically costs £200–£400 for a full small-business set. Individual policies start at £29.99 if you only need one or two. The bespoke-versus-template distinction matters legally: at tribunal, a generic template is evidence you didn't engage with the specific risks of your workplace, whereas a bespoke policy is evidence that you did.

Common mistakes UK small businesses make

• Using US templates. At-will employment, ADA, FMLA, FLSA, EEOC references, and “company-issued” firearm policies all appear in free templates and all are wrong for the UK. Any policy that mentions these is evidence of copy-paste, not engagement.
• Incorporating policies as contractual terms. If a policy is contractual, it can only be changed with the employee's consent. Non-contractual policies, referenced in the contract, can be updated. Most employment solicitors draft policies as non-contractual for this reason.
• Issuing policies without training managers. The ACAS Code, the Equality Act section 109(4) defence, and the new sexual-harassment preventative duty all require that those enforcing the policy know how to. A disciplinary procedure on paper that managers haven't seen is of limited defensive value.
• Forgetting the two-year line. Employees with fewer than two years' continuous service cannot bring an ordinary unfair dismissal claim (section 108 of the Employment Rights Act 1996), but they can still claim automatic unfair dismissal (discrimination, whistleblowing, family-friendly rights, statutory-right assertion) from day one. Policies must therefore be applied consistently from day one; the two-year line only affects ordinary unfair-dismissal risk.
• No review cadence. Policies drift out of date fast. An annual review is the minimum; trigger-based reviews (new statute, new case law, headcount threshold) catch the material changes.
• No acknowledgement trail. A policy the employee has not seen or acknowledged is of limited defensive value. Electronic acknowledgement with date stamp is the minimum; a policy-management platform that tracks this centrally is the lightest-touch answer.

Review cadence

An annual review date is the default. In addition, trigger-based reviews are needed whenever one of the following happens:

• A new statute or statutory instrument changes an obligation (recent examples: Worker Protection Act 2023, Carer's Leave Act 2023, Employment Relations (Flexible Working) Act 2023, Data (Use and Access) Act 2025).
• A material appellate case is decided (recent examples: Harpur Trust v Brazel on part-year holiday, Mercer v Alternative Future Group on industrial-action protections).
• The ACAS Code is revised.
• You cross a headcount threshold: five (H&S written policy), fifty (additional duties under health and safety regulations and information and consultation regulations), 250 (gender pay gap reporting).
• You enter a regulated sector (financial services, healthcare, children's services) or take on a public-sector contract that requires additional policies.
• You experience a material incident (dismissal challenge, grievance, data breach, HSE intervention) that exposes a gap.

Document the review date in the policy footer and the date the review was last done. Tribunals and auditors look for it.

Frequently asked questions

How many HR policies does a small UK business actually need?

Eight to ten cover the statutory and strongly-expected ground for most UK small businesses: disciplinary, grievance, equal opportunities, anti-harassment, health and safety (statutorily required in writing at five employees under the Health and Safety at Work Act 1974 section 2(3)), data protection, sickness absence, leave and working time, acceptable IT use, and whistleblowing. Additional policies become relevant as you scale or enter specific sectors.

Are HR policies a legal requirement in the UK?

Some are, some are not. A written health and safety policy is statutorily required once you employ five or more people. A compliant disciplinary and grievance procedure is effectively required by the ACAS Code of Practice on Disciplinary and Grievance Procedures — the tribunal will uplift an award by up to 25% under section 207A of the Trade Union and Labour Relations (Consolidation) Act 1992 where an employer has unreasonably failed to comply. Others are not legally mandatory but are treated as de facto required by insurers, investors, and employment tribunals assessing reasonableness.

Should HR policies be contractual or non-contractual?

Non-contractual in most cases. Contractual policies can only be changed with employee consent; non-contractual policies can be updated as law and practice evolve. The employment contract should reference the policies as applicable — for example, by stating that the employee is required to comply with the policies in the employee handbook, which may be updated from time to time — without incorporating them as contractual terms. This is the standard approach and is what most employment solicitors draft.

What if I don't have written HR policies at all?

You expose yourself to three things. First, an ACAS Code uplift of up to 25% on any tribunal award where you have followed no formal procedure. Second, a harder defence on unfair dismissal — the tribunal will ask what procedure you followed and what the employee knew about it. Third, problems with employers' liability insurance, investors, tenders and public-sector contracts, all of which routinely ask for evidence of written policies. Writing them is straightforward; not having them is expensive.

Can I use a free template?

You can, but most free templates online are American (referencing at-will employment, ADA, FMLA), are out of date (pre-UK GDPR, pre-2019 holiday-pay reforms, pre-2024 flexible-working reforms), or are so generic they do not reflect your sector or headcount. They satisfy a tick-box requirement but not a tribunal. A bespoke pack written against current UK law — ACAS, Employment Rights Act, Equality Act, UK GDPR — is a small cost compared with a single tribunal defence.

How much should HR policies cost a small UK business?

There is a wide range. A high-street employment solicitor will typically charge £1,200–£2,500 for a full set; an HR consultant £800–£1,500. Templates from legal-document sites are £30–£100 per policy but generic. PolicySuite's UK Employment & Workforce Compliance pack is £400 for fifteen bespoke ACAS-aligned policies, or individual policies are available from £29.99 each. The decision is usually between a generic template that fails at tribunal and a bespoke pack that holds up.

How often should HR policies be reviewed?

Annually at minimum, with trigger-based reviews whenever an important statute or case changes. Recent triggers include the Worker Protection (Amendment of Equality Act 2010) Act 2023 (new preventative duty on sexual harassment, in force 26 October 2024), the Employment Relations (Flexible Working) Act 2023 (day-one right to request flexible working, April 2024), and the Data (Use and Access) Act 2025 for data protection policies. Also review when you cross a headcount threshold (five, fifty, 250 employees) that triggers new obligations.

Related guides