What policies does a small business need?
Updated 3 July 2026 · Policy Mind guides
It depends on three things: how many people you employ, what data you handle, and what your business actually does. Here's the honest map, organised the way the obligations really work — legally required, expected, and sector-specific.
Legally required
- Privacy notice — required under UK GDPR the moment you process personal data: customers, staff, enquiries, CCTV. Applies to virtually every business. Full guide.
- Health & safety policy — required for every employer, and it must be written once you employ five or more people. Full guide.
- Written statement of employment particulars — a day-one legal right for every employee and worker you hire: pay, hours, holiday, notice and more, in writing.
- Disciplinary & grievance procedures — employers must set these out; tribunals can increase awards by up to 25% where the Acas Code wasn't followed.
- Cookie policy & consent — required under PECR if your website sets non-essential cookies or trackers.
Expected — by customers, insurers and partners
Not always statutory, but their absence costs you deals, cover and credibility:
- Information security policy — the first thing larger customers ask for in due diligence.
- Data retention & disposal policy — how long you keep records and when you securely delete them; also evidences UK GDPR's storage-limitation principle.
- Acceptable use / IT policy — the rules for company systems, devices and email once you have a team.
- Business continuity plan — expected of mid-size teams and in most B2B procurement.
Sector-specific
- Taking card payments → PCI-DSS obligations.
- Health & care → safeguarding policies.
- Financial services → anti-money-laundering and financial promotions policies.
- Selling to consumers online → consumer contracts, returns and refunds policies.
- SaaS / software → a data processing agreement (DPA) your customers can sign.
The order to do it in
Start with what's legally required for your headcount and data, then add what your customers expect, then the sector extras. Two common mistakes: copying generic templates that don't describe your business, and writing everything once then never reviewing it. Policies only protect you while they're accurate.
Free 2-minute check
See exactly which policies your business needs
Run the free check