The compliance baseline has shifted. Here is what every UK employer must have in place.
·Updated quarterly as UK law changes·Written by Simon Steggles, AI Director Ltd·6 min read·Reviewed by Daniel Whitmore, Employment Law Solicitor
If you run a UK business and employ people, you are legally required to have certain written policies in place — regardless of your size. The list has grown significantly over the last five years, and 2026 has added further obligations. Here is a plain-English breakdown of the minimum requirements.
Employment policies you are legally required to have
Under the Employment Rights Act 1996, employees are entitled to a written statement of employment particulars from day one. But several additional policies are also required by statute:
Disciplinary and grievance procedures. Required under the Employment Rights Act 1996. Must follow the ACAS Code of Practice on Disciplinary and Grievance Procedures. Tribunal compensation can be increased by up to 25% if the Code has not been followed.
Health and safety policy. Required under the Health and Safety at Work Act 1974 for any employer with five or more employees. Must be written and communicated to all staff.
Anti-harassment and anti-bullying policy. The Worker Protection (Amendment of Equality Act 2010) Act 2023, which entered its second phase in January 2026, imposes a positive duty on employers to take reasonable steps to prevent sexual harassment. An anti-harassment policy is now effectively mandatory as evidence of compliance with that duty.
Data protection and privacy notices. Required under UK GDPR. You must tell employees what data you collect about them, why, and how long you keep it. A failure to provide this at the point of collection is a regulatory breach, not just a technical omission.
Equal opportunities and diversity policy. While not technically mandated by statute in all cases, it is required practice for compliance with the Equality Act 2010, particularly if you employ five or more people or operate in any regulated sector.
Policies that are practically required
Beyond the statutory floor, several policies have become de facto requirements either because regulators expect to see them or because the consequences of not having them are severe:
Data retention and disposal policy. The ICO expects organisations to have a documented data retention schedule. Without one, any subject access request or enforcement inquiry will immediately expose a gap.
Information security policy. Required under UK Cyber Essentials if you handle government contracts or personal data at scale. Also expected by insurers offering cyber liability cover.
Acceptable use of IT policy. Establishes ground rules for use of company systems and is essential protection if you ever need to take disciplinary action for misuse.
Remote and hybrid working policy. Following the normalisation of hybrid work, the absence of a written policy creates ambiguity around health and safety obligations, data handling and hours of work.
What 2026 has added
This year's regulatory activity has moved the baseline further for most UK employers:
AI governance policy. If your organisation uses AI tools — including ChatGPT, Copilot, or any AI-assisted recruitment or performance management software — you need a policy governing their use. The ICO's Article 22 enforcement action against TalentReach Ltd (£950,000 fine, March 2026) made clear that using AI in HR decisions without documented governance is high-risk.
Non-financial misconduct policy. Following FCA guidance published in Q1 2026, financial services employers must have a written policy on non-financial misconduct. But the underlying principle — that misconduct outside work can have professional consequences — is now expected across other regulated sectors too.
Third-party harassment procedure. The second phase of the Worker Protection Act 2023, effective January 2026, extends the reasonable steps duty to cover harassment by customers and contractors. Your anti-harassment policy needs to reflect this.
How CompanyPolicies.co.uk helps
Our Full Suite Standard subscription covers all 45 core policies that a UK private sector employer needs — including all of the above. Complete a 15-minute questionnaire and receive the full suite, personalised with your organisation's details, as professionally formatted PDF files, ready to adopt. Subscribers receive updates automatically when regulations change.
Get your full policy suite in 15 minutes
45 personalised UK compliance policies, ready to download. From £97/month.
Simon Steggles is the founder of AI Director Ltd and the product lead behind CompanyPolicies.co.uk. He has spent over a decade helping UK businesses navigate employment law, data protection, and governance requirements. His work focuses on making compliance practical and accessible for organisations of every size.
Daniel Whitmore is an Employment Law Solicitor (England & Wales) with a practice focused on SME compliance, tribunal representation, and employment contract drafting for UK businesses.