The answer depends on the policy — and on whether you have someone watching the regulatory horizon for you.
Most HR teams produce a set of policies at some point — often when they are required for an audit, an investor, or a new contract — and then leave them in a shared drive where they quietly go stale. The question of when to update them tends to get answered by crisis rather than planning: a tribunal claim, an ICO inquiry, or a manager asking "wait, does our disciplinary procedure still say we need to write letters?"
This article sets out a more systematic approach — by policy type, regulatory trigger and business event.
Most compliance frameworks recommend an annual review of all HR and governance policies as a minimum. In practice, what this means is a structured check against two things: has anything in the relevant law or guidance changed since the last review, and has anything in our organisation changed that makes the policy inaccurate?
An annual review date — typically January or April to align with the start of a tax or financial year — should be built into every policy document itself, along with the name of the person responsible for the review.
Some policy areas move faster than others. Data protection is the clearest example. The ICO publishes updated guidance several times a year. Enforcement notices frequently set new expectations about what "reasonable steps" means in practice. A data protection policy that was accurate in January may be out of step with ICO expectations by April without any new legislation having been passed.
AI governance is now in the same category. The EU AI Act's phased implementation schedule, the ICO's developing Article 22 case law, and the UK AI Bill's parliamentary progress mean that AI-related policies need review at least quarterly if your organisation uses AI tools in any material business process.
Employment law is somewhat more stable — major statutory changes typically come into force in April — but ACAS updates its Codes of Practice periodically, and tribunal decisions can shift the practical standard of care faster than most HR teams realise. The Worker Protection Act's extension to third-party harassment in January 2026 is a recent example: it required policy changes without any new Act of Parliament, just a new phase of existing legislation taking effect.
Regardless of your scheduled review cycle, certain events should always trigger an immediate policy review:
For most organisations below about 250 employees, there is no one whose full-time job is to watch the regulatory horizon. The HR manager is dealing with recruitment, absence, and performance. The IT manager is firefighting. The finance director is focused on the numbers. Nobody has a dedicated slot to read ICO guidance updates or Employment Tribunal Weekly.
This is why a subscription-based policy service — one that monitors regulatory change and pushes updated documents automatically — is more cost-effective than attempting to manage policy currency in-house. The cost of a single Employment Tribunal claim, measured in management time alone, typically exceeds several years of a policy subscription.
Subscribers receive updated policy documents and quarterly regulatory briefings automatically.
View subscription plansChartered MCIPD
Claire Donovan is a Chartered Member of the CIPD with extensive experience as an HR and employment law practitioner. She specialises in policy development, disciplinary procedures, and workforce compliance for UK employers.