The essential HR policies every small business needs

Small business HR isn’t glamorous—but it stops headaches, fines, and claims. Get the straight-talk on what’s legally required, what’s smart, and how to keep policies useful, not dusty.
The policies that quietly keep you out of trouble
Most small business owners do not lie awake dreaming about HR policies or a tidy employee handbook. Fair enough. But policies are the unglamorous bit of kit that decide whether a tricky situation stays small or turns into a tribunal claim, a fine, or a very expensive lesson.
Here is the straight-talking version. What you actually need, what is legally required versus simply sensible, and how to keep it all from becoming a dusty folder nobody reads.
Hazel (our Chief Wellbeing Officer) has a strict policy on biscuits. She recommends you have written policies for the slightly more serious things too.
Quick Answer Box
- Do this: build a core set of clear, written policies and gather them in one employee handbook.
- Legally required: a written disciplinary and grievance procedure, a written health and safety policy if you have five or more staff, and data protection records under UK GDPR.
- Keep most policies non-contractual so you can update them without re-papering everyone's contract.
- Write down: which terms are contractual, which are guidance, and the date each policy was last reviewed.
What is an HR policy, and why bother?
A policy is simply your written position on how something is handled at work. A procedure is the step-by-step process that puts the policy into action. Together they tell everyone what is expected, what they can expect from you, and what happens if the rules are broken.
For a small business the value is threefold. Policies keep you compliant with the law, they help you treat people consistently, and they give you something to point to when a decision is challenged. A tribunal does not just ask "what did you do?", it asks "did you have a fair process, and did you follow it?". Policies are how you answer that question.
There is a real-world warning here too. Tribunals have found dismissals unfair where an employer relied on a rule that was never written down, because the worker could not reasonably have known the standard they were held to. When the rule exists only in someone's head rather than on paper, that gap is what costs employers later.
What is actually required by law?
Let us separate the genuinely mandatory from the merely wise.
- A written disciplinary and grievance procedure. You must have one, it must be accessible to staff, and your written statement of employment particulars (the section 1 statement every employee gets) must tell people where to find the disciplinary and grievance rules that apply to them. The ACAS Code of Practice on disciplinary and grievance procedures is the benchmark a tribunal will measure you against.
- A written health and safety policy, if you employ five or more people. The Health and Safety Executive requires this to be written down. Below five staff you still have the duty, you just do not have to write the policy itself.
- Data protection. Under UK GDPR you need clear records of how you collect, store, and use personal data, and a privacy notice for staff. The Information Commissioner's Office has small-business guidance worth bookmarking.
Almost everything else is strongly recommended rather than strictly mandatory. But "recommended" here means "the thing that protects you when a dispute lands", so treat the core set below as essentials.
The core set every small business should have
- Disciplinary and grievance. The legally required pair. They give you a fair, defensible route through misconduct and complaints. Your procedure should also set out the right to be accompanied, which we cover in who can accompany an employee at a disciplinary meeting.
- Equal opportunities and anti-harassment. This protects people and protects you. It matters more than ever given the duty on employers to take reasonable steps to prevent sexual harassment, introduced by the Worker Protection (Amendment of Equality Act 2010) Act 2024. The ACAS guidance on preventing sexual harassment is a good starting point.
- Sickness absence. How to report illness, when you need a fit note, and how absence is managed. Pairs neatly with your decision on company sick pay, which we cover in the advantages and disadvantages of sick pay schemes.
- Annual leave. Entitlement, how to book it, carry-over, and bank holidays.
- Family leave. Maternity, paternity, adoption, shared parental, and the newer neonatal care leave.
- Health and safety. Risk assessment, hazard reporting, and emergency procedures.
- Data protection. As above, the UK GDPR essentials.
- IT, communications, and social media. Acceptable use, confidentiality, and what staff can and cannot say online.
- Code of conduct. Your baseline expectations for behaviour, dress, and professionalism, including the things that feel "obvious" until someone proves they were not.
A pay rate is not a policy, but your policies should reference the statutory floors that change each April. Keep an eye on the current UK statutory pay rates for 2026/27 so your sick pay and family leave wording stays accurate.
Contractual versus non-contractual: the bit that saves you headaches
This is the single most useful distinction in this whole article, so here it is plainly.
- Contractual terms are part of the employment contract. Pay, hours, notice, and core holiday entitlement usually sit here. You cannot change them unilaterally. Changing them needs the employee's agreement, which is a proper contract variation.
- Non-contractual policies are guidance you set and can update. Most of your handbook should live here. It means you can refresh your social media policy when a new platform appears, or tighten your absence reporting process, without asking every employee to sign a fresh contract.
The practical move is to state clearly, in both the contract and the handbook, that the policies are non-contractual and may be updated from time to time. Keep the genuinely contractual terms in the contract, and keep the changeable guidance in the handbook. Get this wrong and you can accidentally bake a policy into the contract, then find you are stuck with it.
The employee handbook: one place for all of it
An employee handbook is simply the folder, digital or printed, that gathers your policies together. There is no law that says you must have one, but it is the easiest way to make sure staff can find the rules and that you can show a consistent approach.
A good handbook is accessible, dated, version-controlled, and written in plain English. It is not a legal textbook nobody opens. It states up front that it is non-contractual, points to the contract for contractual terms, and tells people who to ask if something is unclear.
A step-by-step checklist to get started
- List your legally required policies first: disciplinary, grievance, health and safety (if five or more staff), data protection.
- Add the core recommended set: equal opportunities and anti-harassment, sickness absence, annual leave, family leave, IT and social media, code of conduct.
- Decide what is contractual and what is non-contractual, and state it clearly.
- Write in plain English, with short procedures people can actually follow.
- Gather everything into one dated handbook and make it accessible to all staff.
- Get staff to acknowledge they have read it, and keep that acknowledgement on file.
- Diarise an annual review, plus an ad hoc review whenever the law changes.
Common mistakes (and the fix)
- Mistake: having no written disciplinary or grievance procedure. Fix: put one in place now and reference it in the section 1 statement.
- Mistake: copy-pasting a generic template and never tailoring it. Fix: adapt it to your actual roles, risks, and sector. A delivery yard needs different rules from a quiet office.
- Mistake: making policies contractual by accident. Fix: state clearly that policies are non-contractual guidance.
- Mistake: writing it once and never reviewing it. Fix: treat policies as living documents and review at least annually.
- Mistake: assuming a small team does not need a social media policy. Fix: reputational and confidentiality risks do not scale with headcount. Even a team of three needs clear online conduct rules.
A short example
A Hampshire cafe owner with four staff thought policies were "for big companies". When a team member posted a furious rant naming an unhappy customer, the owner had nothing to point to. No social media policy, no code of conduct, no clear confidentiality wording. The conversation that followed was awkward and risky.
A single side of A4 covering online conduct, confidentiality, and who may post officially would have turned a tense disciplinary into a simple "you breached the policy, here is the warning". Small business, small policy, large amount of protection.
What to write down
Make sure your handbook clearly states:
- which terms are contractual and which are non-contractual guidance
- the disciplinary and grievance procedures, and where to find them
- your health and safety arrangements (written, if you have five or more staff)
- how personal data is handled under UK GDPR
- the date each policy was last reviewed and the next review date
- a record that each employee has read and acknowledged the handbook
Bottom line
- A handful of clear policies will protect you far more than their cost in time.
- Disciplinary, grievance, written health and safety (five or more staff), and data protection are the genuinely required pieces.
- Keep most policies non-contractual so you can update them as the world changes.
- Gather it all into one accessible, dated handbook, and review it at least once a year.
Right, what do you do now?
If you are not sure your policies cover the basics, or you suspect your handbook is out of date, this is exactly what we look at in an HR Health Check. We tell you what is missing, what is risky, and what to fix first, in plain English and with no judgement.
Ongoing support to keep policies current and handle the tricky conversations is what HR Protect is built for, and the HR Advice Line is there when you just need a quick answer.
Book your HR Health Check or a discovery call and let us get your foundations solid.

About Kate Underwood
HR consultant and founder of Kate Underwood HR. Providing HR Support for Small Businesses for over 10 years; in Hampshire, Dorset and across the UK.
