The 5 Policies Every UK Business Must Have (By Law)

Let's cut through the noise. There's a lot of advice about what policies you "should" have. Here's what you're actually legally required to have.

1. Health and Safety Policy

Required if: You have 5 or more employees

What it needs: Your general approach to health and safety, who's responsible for what, and the arrangements you have in place.

The law: Health and Safety at Work etc. Act 1974, Section 2(3)

2. Disciplinary and Grievance Procedures

Required if: You have employees (any number)

What it needs: The steps you'll follow for disciplinary matters and how employees can raise grievances.

The law: Employment Rights Act 1996, Section 3 — you must provide this information in writing.

3. Data Protection / Privacy Policy

Required if: You process any personal data (so, everyone)

What it needs: How you collect, use, and protect personal data. Must comply with UK GDPR.

The law: UK GDPR, Article 13-14

4. Written Statement of Employment Particulars

Required if: You have any employee or worker

What it needs: A document setting out the terms of employment — pay, hours, holidays, notice, place of work, disciplinary and grievance procedures, and more. Must be given on or before Day 1 of employment.

The law: Employment Rights Act 1996, Section 1 (as amended by the Good Work Plan, in force since April 2020).

This is the one most small employers miss. It is not optional, it is not just for permanent staff, and "we sent a contract" is not the same thing. The statement has specific required content set out in statute, and failure to provide it can lead to tribunal awards of up to four weeks' pay per missing element.

5. Health and Safety Risk Assessment

Required if: You have employees (any number — not just 5+)

What it needs: A documented assessment of workplace risks and the steps you take to control them. For employers with five or more employees, the assessment itself must be recorded in writing.

The law: Management of Health and Safety at Work Regulations 1999, Regulation 3.

People often confuse the written Health and Safety Policy (which only applies at 5+ employees, see Section 1) with the underlying duty to assess risk, which applies from your first employee. The risk assessment is the live working document; the policy is the high-level statement. You need both, in different forms, depending on your size.

What ERA 2025 Changed About This List

Several of the policies above need updating in light of the Employment Rights Act 2025. The legally required core has not shifted — the five above remain the baseline — but the content of each needs reviewing:

• Disciplinary and grievance procedures now need to account for the unfair dismissal qualifying period dropping to six months of service. Performance management informality is more costly post-2026.
• Written statements of particulars should reflect new day-one rights to parental and bereavement leave under ERA 2025.
• Data protection notices should now cover bereavement leave records, including early pregnancy loss — sensitive personal data with specific handling requirements.
• Equality and diversity — while still not a standalone legal requirement, expectations around documented anti-harassment measures have risen sharply following the Worker Protection (Amendment of Equality Act 2010) Act 2023, which is now bedded in.

For the full picture of what ERA 2025 changes about your handbook, see our Employment Rights Act 2025 guide and our practical action list.

Even when the core five are in place, common follow-on policies like sickness absence are frequently non-compliant.

The Minimum Viable Handbook

If you're starting from scratch and want to be legally compliant with minimum effort:

1. Health and safety policy (if 5+ employees)
2. Disciplinary procedure
3. Grievance procedure
4. Privacy/data protection notice
5. A clear statement on equality

That's your legal baseline. Everything else is risk management and good practice.

Common questions about legally required HR policies

How many HR policies are legally required in the UK?

There is no single "official" number. The five above (Health and Safety Policy at 5+ employees, Disciplinary and Grievance Procedures, Data Protection Notice, Written Statement of Particulars, and Risk Assessment) are the policies with the clearest statutory basis. Beyond these, additional policies are required in specific contexts (e.g. modern slavery statements for businesses over £36m turnover, gender pay gap reporting for 250+ employees).

Does a small business need an employee handbook?

You are not legally required to bundle your policies into a single "handbook" document. You are legally required to provide certain information (Section 1 statement, disciplinary and grievance procedures, data protection notice). Most small employers choose a handbook because it is easier to maintain one document than several. Either approach is compliant if the underlying information is there.

What happens if I don't have these policies?

Penalties vary. Failing to provide a Written Statement of Particulars can result in tribunal awards of two to four weeks' pay per missing element. Failing to follow ACAS Code on disciplinary procedures can increase a successful unfair dismissal award by up to 25%. Failing to provide UK GDPR-compliant data protection notices can result in ICO enforcement action. None of these are theoretical.

Are template policies enough to be compliant?

A template policy is the starting point, not the finish line. Compliance depends on whether the policy reflects your actual practice, is communicated to staff, and is followed in real cases. A perfectly worded template that nobody follows offers no legal protection. This is why an "audit your existing handbook" approach typically uncovers more risk than starting from a blank template. Bounda exists specifically to close the gap between £600 template packs and £3,000 solicitor engagements. Read the founder's story for the longer version of why.