HR Policies Every UK Business Must Have in 2026

Every UK business with employees needs certain HR policies in place. Some because the law explicitly requires them. Others because failing to have them removes legal defences you may desperately need at tribunal. In 2026, with the Employment Rights Act 2025 changing employer obligations across the board, having the right policies is more important than ever.

This article covers the six HR policies that are legally essential for UK businesses, the specific legislation behind each one, and the consequences of not having them.

Key Takeaways

• UK businesses need 6 essential HR policies: disciplinary procedure, grievance procedure, health and safety policy, equal opportunities policy, data protection notice, and whistleblowing policy
• Failing to follow the ACAS Code can increase tribunal awards by 25% (TULRCA 1992, s.207A)
• Health and safety breaches are criminal offences with unlimited fines and up to 2 years' imprisonment
• The Employment Rights Act 2025 removes the unfair dismissal compensation cap from January 2027
• Discrimination awards are uncapped, and the median sex discrimination award in 2024/25 was £22,420

Policy	Legal Basis	Key Penalty
Disciplinary procedure	ERA 1996, s.1(4)(d-e); ACAS Code	25% tribunal award uplift
Grievance procedure	ERA 1996, s.1(4)(d); ACAS Code	25% tribunal award uplift
Health and safety	HSWA 1974, s.2(3)	Unlimited fine + 2 years' imprisonment
Equal opportunities	Equality Act 2010, s.109(4)	Uncapped discrimination awards
Data protection notice	UK GDPR, Art. 13-14	Up to £17.5M or 4% of turnover
Whistleblowing	PIDA 1998; ERA 2025, s.17	Uncapped, automatically unfair dismissal

What HR Policies Are Legally Required for UK Businesses?

UK businesses are legally required or strongly expected to have six core HR policies, each backed by specific legislation. According to Ministry of Justice Employment Tribunal Statistics, the median unfair dismissal award reached £13,541 in 2024/25, and missing even one of these policies can push that figure significantly higher.

The six policies fall into three categories: employment procedure (disciplinary and grievance), statutory obligation (health and safety, data protection), and legal defence (equal opportunities, whistleblowing). We've found that most SMEs have some version of two or three of these, but rarely all six. That gap creates real exposure.

1. Disciplinary and Dismissal Procedure

Legal basis: Employment Rights Act 1996 (ERA 1996), s.1(4)(d-e); ACAS Code of Practice on Disciplinary and Grievance Procedures

Since 6 April 2020, every employee must receive a written statement of employment particulars on or before their first day. That statement must reference the employer's disciplinary and dismissal procedures. Under the ACAS Code, these procedures must follow a structured process: investigation, written notification, a meeting, a decision, and a right of appeal. Tribunals can increase awards by up to 25% where an employer unreasonably fails to follow the Code, under the Trade Union and Labour Relations (Consolidation) Act 1992 (TULRCA), s.207A. The median unfair dismissal award in 2024/25 stood at £13,541, according to Ministry of Justice Employment Tribunal Statistics. A 25% uplift takes that to £16,926.

From 1 January 2027, when the unfair dismissal qualifying period drops to 6 months and the compensation cap is removed under ERA 2025, the importance of a well-documented disciplinary procedure increases dramatically. Without a cap, a poorly handled dismissal of a senior employee could result in a six-figure award.

What it must include:

• Examples of misconduct and gross misconduct
• The investigation process
• Stages: informal discussion, first written warning, final written warning, dismissal
• Timescales for each stage
• Right to be accompanied at formal hearings (Employment Relations Act 1999, s.10)
• Right of appeal and the appeal process

2. Grievance Procedure

Legal basis: Employment Rights Act 1996, s.1(4)(d); ACAS Code of Practice on Disciplinary and Grievance Procedures

The written statement of employment particulars must reference the grievance procedure. The ACAS Code requires a formal process for employees to raise concerns. The grievance procedure is distinct from the disciplinary procedure, and employers must treat them separately. The same 25% uplift under TULRCA 1992, s.207A applies here. Without a grievance procedure, employees may go directly to an employment tribunal rather than raising issues internally. Early conciliation through ACAS is now mandatory before most tribunal claims (under the Employment Tribunals Act 1996, s.18A), but employers with no internal grievance procedure lose the opportunity to resolve matters before they escalate.

From October 2026, the ERA 2025 extends employment tribunal time limits from 3 months to 6 months. This gives employees more time to bring claims, making it even more important to resolve grievances internally through a proper procedure. Have you reviewed your grievance procedure since the ERA 2025 received Royal Assent?

What it must include:

• How to raise a grievance (who to contact, written or verbal)
• The investigation process
• The formal grievance meeting
• The decision and communication of the outcome
• The right of appeal
• Timescales
• How to raise a grievance about the employee's direct manager

3. Health and Safety Policy

Legal basis: Health and Safety at Work etc. Act 1974, s.2(3)

Every employer with 5 or more employees must have a written health and safety policy. This is not optional: failing to comply is a criminal offence. Health and safety breaches carry criminal penalties, not just civil liability. The Health and Safety Executive (HSE) can issue improvement notices, prohibition notices, and prosecutions. Under the Health and Safety at Work Act 1974, s.33, courts can impose unlimited fines and up to 2 years' imprisonment for certain offences. In 2024/25, the HSE prosecuted 398 cases with an average fine of £114,000 per conviction, according to the HSE's Annual Report. Small businesses face the same rules: the HSE specifically targets high-risk sectors including construction, manufacturing, and agriculture, but inspections can happen in any sector.

What it must include:

• A general statement of your commitment to health and safety, signed and dated by the most senior person in the business
• The organisational structure for managing health and safety (who is responsible for what)
• The practical arrangements: risk assessments, fire procedures, first aid, accident reporting, equipment maintenance, training

4. Equal Opportunities / Anti-Discrimination Policy

Legal basis: Equality Act 2010, s.109(4); ERA 2025, s.15-16

Under the Equality Act 2010, employers bear vicarious liability for discrimination carried out by their employees in the course of employment. However, s.109(4) provides a defence: an employer can avoid liability by showing they took "all reasonable steps" to prevent the discrimination. Without a written equal opportunities policy, you lose that defence entirely. In Canniffe v East Riding of Yorkshire Council [2000] IRLR 555, the Employment Appeal Tribunal held that an employer who had taken no steps at all to prevent harassment could not rely on the s.109(4) defence. Discrimination awards are uncapped, and the median sex discrimination award in 2024/25 was £22,420, with awards regularly exceeding £100,000 in serious cases.

From October 2026, the ERA 2025 upgrades this to a positive duty to take "all reasonable steps" to prevent sexual harassment (s.15) and extends liability to third-party harassment (s.16). A written anti-discrimination policy is the starting point for demonstrating compliance.

What it must include:

• A commitment to equality covering all 9 protected characteristics under the Equality Act 2010 (age, disability, gender reassignment, marriage/civil partnership, pregnancy/maternity, race, religion or belief, sex, sexual orientation)
• Definitions of direct discrimination, indirect discrimination, harassment, and victimisation
• Examples of unacceptable behaviour
• The reporting process
• How complaints will be investigated
• Consequences for breaches
• Training commitments

5. Data Protection / Employee Privacy Notice

Legal basis: UK GDPR, Articles 13-14; Data Protection Act 2018

The UK GDPR requires employers to provide employees with specific information about how their personal data is processed. This obligation starts from the point of data collection, which for employees means from the recruitment stage. The Information Commissioner's Office (ICO) enforces compliance through enforcement notices and fines. Under the UK GDPR, maximum fines reach £17.5 million or 4% of annual global turnover, whichever is higher. In practice, SME fines tend to be lower, but the ICO issued £15.2 million in fines across all sectors in 2024/25, according to the ICO's Annual Report. Employee data breaches represent a growing area of enforcement action.

Beyond fines, employees can bring individual compensation claims. In Lloyd v Google LLC [2021] UKSC 50, the Supreme Court confirmed that individuals can claim compensation for distress caused by data protection breaches even without financial loss. So what does your privacy notice actually need to contain?

What it must include:

• The identity and contact details of the data controller (your business)
• The purposes of processing and the legal basis for each (typically legitimate interests under Art. 6(1)(f) or contractual necessity under Art. 6(1)(b))
• Categories of personal data processed
• Recipients of personal data (e.g., HMRC, pension providers, payroll processors)
• Retention periods
• Employee rights: access, rectification, erasure, restriction, portability, objection
• How to make a complaint to the ICO

6. Whistleblowing Policy

Legal basis: Public Interest Disclosure Act 1998 (as amended by ERA 1996, Part IVA); ERA 2025, s.17

While smaller employers don't face an explicit requirement to maintain a written whistleblowing policy, having one is strongly recommended. For publicly listed companies, the UK Corporate Governance Code requires it. From 6 April 2026, the ERA 2025 adds sexual harassment as a qualifying disclosure category, making a comprehensive whistleblowing policy even more important. If an employee is dismissed or suffers detriment for making a protected disclosure, that dismissal is automatically unfair regardless of length of service (ERA 1996, s.103A). No qualifying period applies, and no compensation cap exists for whistleblowing dismissals. The median whistleblowing award in 2024/25 was £28,877, but awards exceeding £1 million have been recorded in serious cases.

What it must include:

• What qualifies as a protected disclosure (criminal offences, failure to comply with legal obligations, miscarriages of justice, dangers to health and safety, environmental damage, and from April 2026, sexual harassment)
• How to make a disclosure internally (named contact or channel)
• The investigation process
• Protections for whistleblowers (no detriment, no dismissal)
• How the policy applies to workers, not just employees
• External reporting channels (regulators, prescribed persons)

Beyond the Six: Which Additional HR Policies Should You Have?

While the six policies above form the legal core, several additional policies are so commonly expected, and so useful in defending tribunal claims, that they are practically essential for any employer. According to the CIPD's HR Practices Survey (2024), over 80% of UK employers maintain at least four of the policies below.

In our experience, we've found that the gap between "legally required" and "practically essential" closes quickly once an employer faces their first tribunal claim. The policies below don't just tick compliance boxes. They provide the documented evidence trail that wins cases.

Policy	Why You Need It
Sickness absence	Manages absence consistently. ERA 2025 SSP changes (day-one SSP from April 2026) make an updated policy critical.
Annual leave	Prevents disputes over holiday booking, carry-over, and pay. Working Time Regulations 1998 set the statutory minimum at 5.6 weeks.
Maternity leave / paternity leave / parental leave	Complex statutory entitlements that must be communicated clearly. ERA 2025 makes paternity and parental leave day-one rights from April 2026.
Flexible working	Day-one right to request since April 2024. ERA 2025 will require substantive explanations for refusals (2027 TBC).
Redundancy	The doubled protective award (180 days from April 2026) makes proper consultation procedures essential.
Probationary period	With the unfair dismissal qualifying period dropping to 6 months from January 2027, a clear probation framework is critical.

Browse all 26 policy templates →

How Does the ERA 2025 Change HR Policy Requirements?

The Employment Rights Act 2025 doesn't just add new requirements. It increases the consequences of existing gaps. With the compensation cap removal alone, the Ministry of Justice estimates that high-earner dismissal claims could routinely exceed £100,000 from January 2027.

We've reviewed dozens of SME policy sets since the ERA 2025 received Royal Assent in December 2025. The most common gap isn't a missing policy. It's an outdated one that still references the two-year qualifying period or the old compensation cap. Those outdated references can undermine your credibility at tribunal.

• Uncapped unfair dismissal awards mean that a weak disciplinary procedure costs more than ever
• Extended tribunal time limits (3 to 6 months from October 2026) give employees more time to bring claims
• The "all reasonable steps" sexual harassment duty makes a written anti-harassment policy practically mandatory
• Day-one unfair dismissal protection (from January 2027) means you need thorough, up-to-date policies from the moment an employee starts

For the full timeline of ERA 2025 changes, see our article: Employment Rights Act 2025: What UK SMEs Need to Know.

How Do I Audit My HR Policies?

A policy audit takes less than an hour and can save thousands at tribunal. According to Ministry of Justice Employment Tribunal Statistics, employment tribunal claims rose by 7% year-on-year in Q4 2024, making proactive compliance checks more valuable than reactive fixes.

Use this quick checklist to assess your current position:

• Disciplinary procedure: written, follows ACAS Code, referenced in employment contracts
• Grievance procedure: written, follows ACAS Code, accessible to all employees
• Health and safety policy: written (if 5+ employees), signed by senior person, reviewed annually
• Equal opportunities policy: covers all 9 protected characteristics, includes harassment reporting
• Data protection / privacy notice: covers UK GDPR requirements, includes employee rights
• Whistleblowing policy: includes all qualifying disclosure categories (updated for ERA 2025)

If any of these are missing, outdated, or don't reflect your current practices, you need to act now. Are your policies ready for the ERA 2025 milestones in April and October 2026?

Frequently Asked Questions

Do I need all six policies even if I only have one employee?

Five of the six apply from your first employee: the disciplinary procedure, grievance procedure, equal opportunities policy, data protection notice, and whistleblowing policy. The health and safety policy only requires a written document once you reach 5 or more employees, though you still owe health and safety duties under the 1974 Act from your first hire. According to HSE guidance, employers of any size must conduct risk assessments and provide safe working conditions.

Can I combine policies into one document?

Yes. Many SMEs combine the disciplinary and grievance procedures into a single document, and combine equal opportunities with anti-harassment. As long as each required element is covered, the format is flexible. An employee handbook is a common way to bring all policies together in one accessible place.

How often should I review my HR policies?

At a minimum, review annually and after any significant change in employment law. With the ERA 2025 introducing changes through to 2027, we recommend reviewing at each implementation milestone: April 2026, October 2026, and January 2027. The CIPD recommends that businesses treat each legislative milestone as a trigger for a full policy review.

Are there penalties for having outdated policies?

Having a policy that references repealed legislation (such as the Strikes (Minimum Service Levels) Act 2023, repealed in December 2025) doesn't attract a specific penalty. However, it undermines your credibility at tribunal and may suggest that your HR practices generally aren't current. A tribunal may treat outdated policies as evidence that you didn't take "all reasonable steps" under the Equality Act or the ACAS Code.

Do these policies apply to workers as well as employees?

Some do. Whistleblowing protection applies to "workers" (a broader category than "employees" under ERA 1996, s.43K). The Equality Act 2010 protections apply to "employees" under a broader definition that includes most workers. Health and safety duties cover everyone affected by your work activities. The ERA 2025 further extends certain protections to workers, particularly around zero-hour contracts and guaranteed hours.