Many small businesses start without any formal HR policies. When things are going well, it does not feel like a priority. But when something goes wrong, the absence of clear policies can leave you exposed, both legally and practically.
Having the right policies in place protects your business, sets clear expectations for your team, and demonstrates to employees that you take your responsibilities seriously. More importantly, some policies are a legal requirement, and failing to have them can land you in an employment tribunal.
Here are the 10 policies we recommend every SME puts in place, starting with the ones you are legally required to have.
1. Disciplinary and grievance policy
This is not optional. Under Section 3 of the Employment Rights Act 1996, you must provide employees with details of your disciplinary and grievance procedures as part of their written statement of employment particulars. Your policy should follow the Acas Code of Practice on Disciplinary and Grievance Procedures, which sets out the minimum steps for handling workplace issues fairly.
A good disciplinary and grievance policy covers how issues are raised, how investigations are conducted, who makes decisions, and how employees can appeal. Without one, you are exposed to tribunal claims where any compensation can be increased by up to 25% if you failed to follow the Acas Code.
If you need help putting a process in place or managing an ongoing issue, our disciplinary and grievance support service can guide you through it.
2. Equal opportunities and anti-harassment policy
This policy sets out your commitment to preventing discrimination and harassment in the workplace. It should cover all protected characteristics under the Equality Act 2010, including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.
Having a clear policy is not just good practice. It is also your primary defence if an employee brings a harassment claim. Tribunals will ask whether you took "all reasonable steps" to prevent the behaviour. From October 2026, this duty is being strengthened further, with employers required to take proactive steps to prevent sexual harassment, including from third parties such as customers and clients.
A well-drafted policy that is communicated to all staff, backed up by training and consistently enforced, is the foundation of that "all reasonable steps" defence.
3. Sickness absence policy
Absence costs UK businesses billions every year, and small businesses feel the impact disproportionately. A clear sickness absence policy helps you manage the process fairly and consistently.
Your policy should cover how employees report sickness (who to call and by when), when a fit note is required (after seven calendar days of absence), SSP entitlements, your return-to-work process, and any trigger points that prompt a formal review. Trigger points based on the Bradford Factor or similar models help you identify patterns of absence early, before they become a serious problem.
For detailed guidance on managing absence effectively, visit our absence management page.
4. Holiday and leave policy
Every worker is entitled to 5.6 weeks of paid annual leave per year (28 days for a full-time employee, which can include bank holidays). Your policy should explain how holiday is calculated, how to request time off, the booking process, blackout periods if any, and carry-over rules.
It should also cover other types of leave: compassionate leave, jury service, time off for dependants, and any enhanced provisions you offer for parental leave or other circumstances. Being clear about these entitlements reduces disputes and helps your managers handle requests consistently.
5. Health and safety policy
If you employ five or more people, you are legally required to have a written health and safety policy under the Health and Safety at Work Act 1974. Even if you have fewer than five employees, having a policy is strongly recommended.
Your policy should set out your general approach to health and safety, who is responsible for what, and the specific arrangements in place (risk assessments, first aid, fire safety, accident reporting). It should be reviewed regularly and updated whenever your working environment changes.
Our health and safety service can help you assess your current arrangements and put the right measures in place.
6. Data protection and privacy policy
Under the UK GDPR and Data Protection Act 2018, you must tell employees what personal data you collect, why you collect it, how you store it, and how long you keep it. You also need to explain their rights, including the right to access their data and request its deletion.
An internal data protection policy should cover your lawful basis for processing employee data, retention periods, data security measures, and the process for handling subject access requests. This is separate from your website privacy policy, which covers customer and visitor data.
7. Social media and IT acceptable use policy
With most employees using smartphones and social media daily, a clear acceptable use policy prevents misunderstandings and protects your business.
Your policy should define what is acceptable use of company devices, email, and internet access. It should explain your position on personal social media use during work hours and set out the rules for posting about the company online. If you monitor employee communications or device usage, you are legally required to inform them, so your policy should cover this too.
A social media policy also helps protect your reputation. Employees posting negative or confidential information online can cause significant damage, and a clear policy gives you grounds to take action.
8. Flexible and remote working policy
Since April 2024, employees have the right to request flexible working from their first day of employment. They can make two requests per year, and you must respond within two months.
Your policy should explain how requests are made, how they are assessed, what arrangements are available (hybrid working, compressed hours, part-time, job sharing), and the grounds on which a request can be refused. If you have home workers, you also need to address health and safety obligations, equipment provision, and data security for remote working. We cover the detail of what to include in our guide to remote and hybrid working policies for SMEs.
9. Maternity, paternity and parental leave policy
Your policy should set out the entitlements, notice requirements, and pay arrangements for maternity, paternity, adoption, shared parental, and parental leave. Even if you only offer the statutory minimum, having it written down avoids confusion and ensures managers handle things consistently.
From April 2026, paternity leave and unpaid parental leave become day-one rights, meaning employees no longer need 26 weeks of service to qualify. Your policy should be updated to reflect this change.
Include information on keeping-in-touch (KIT) days, the right to return to the same role (or a suitable alternative), and protection from detriment or dismissal for taking family-related leave.
10. Whistleblowing policy
Under the Public Interest Disclosure Act 1998, employees who report certain types of wrongdoing are protected from being dismissed or subjected to detriment. Your whistleblowing policy should explain what qualifies as a protected disclosure (criminal offences, health and safety dangers, environmental damage, miscarriages of justice, and cover-ups), who to report concerns to internally, and what happens next.
It should also reassure employees that they will not face retaliation for raising genuine concerns in good faith. A clear policy encourages people to speak up early, giving you the chance to address problems before they escalate.
Where to start
If you have none of these policies in place, do not try to do everything at once. Start with the ones you are legally required to have: your disciplinary and grievance policy and, if you have five or more employees, your health and safety policy. Then work through the rest in order of priority for your business. While you are reviewing your compliance essentials, make sure your onboarding process includes proper right to work checks, which carry penalties of up to £60,000 per worker if you get them wrong.
If you are not sure what you are missing or where to focus, our HR health check is designed for exactly this situation. We review your existing documentation, identify the gaps, and help you prioritise what needs to be put in place first.
We can also draft all of these policies for you as part of our policies and procedures service, tailored to your business rather than copied from a generic template.
If you would like to discuss your current setup, book a free consultation and we will help you work out the best next steps.
