The documents every small business should have (but probably doesn't)

There's a particular kind of procrastination that small business owners are very good at. It's not the obvious kind, where you scroll Instagram instead of sending that email. It's the more sophisticated kind, where you tell yourself you'll sort the important stuff out "when things calm down a bit."

The policies. The procedures. The documents that make your business properly protected and professionally run. The ones that sit on the mental to-do list for months, sometimes years, quietly generating low-level guilt every time you think about them.

I know this because I've spent time writing exactly these documents for small businesses and purpose-led organisations.

So consider this your nudge. Here are the documents most small businesses should have, what they're actually for, and an honest assessment of how complicated they are to put together.

Data Protection and Privacy Policy

Let's start with the one that has legal teeth.

If your business collects, stores or processes any personal data — and almost every business does, even if it's just an email list or client contact details — you are required under UK GDPR to have a privacy policy. This isn't optional, and it isn't just for big companies.

Your privacy policy should explain what data you collect, why you collect it, how you store it, how long you keep it, and what rights people have over their own data. If you have a website, it needs to be publicly accessible there.

The good news is that for most small businesses this document doesn't need to be enormous or written by a lawyer. It does need to be accurate and kept up to date. If you're registered with the ICO, which most businesses handling personal data should be, their website has genuinely useful guidance on what to include.

Terms and Conditions of Service

This is the document that protects you when things go wrong.

Your terms and conditions set out the basis on which you work with clients. Payment terms, what happens if a project scope changes, cancellation terms, what you're responsible for and what you're not, intellectual property ownership, and how disputes are handled.

Without them, you're relying on goodwill and verbal agreements if a client relationship turns difficult. Most of the time that's fine. But the one time it isn't fine, you'll wish you had something in writing.

If you have a website, a website terms of use policy is worth having separately — this covers things like copyright of your content, limitation of liability for the information on your site, and acceptable use.

Complaints Procedure and Policy

Nobody likes to think about complaints. But having a clear, documented process for handling them is one of the most professional things a small business can do.

A complaints policy sets out your commitment to handling complaints fairly and promptly. A complaints procedure explains the actual steps — how someone raises a complaint, who handles it, what the timescales are, and what happens if it isn't resolved to their satisfaction.

If you work with regulated clients, charities or public sector organisations, having a complaints procedure is often a requirement rather than a choice. And even if it isn't required, it signals that you take your clients seriously and have thought about what good service looks like when things go wrong.

If you have a website, a simplified version of your complaints policy sitting there quietly is worth having too.

AI Usage Policy and Cyber Security Policy

I'm grouping these together because they're increasingly inseparable, and because they're the two documents most small businesses are furthest behind on.

If anyone in your business uses AI tools — and they almost certainly do, even if you haven't officially sanctioned it — you need an AI usage policy. This sets out which tools are approved, what information can and cannot be shared with them, how AI-generated content should be handled, and what to do if something goes wrong. I've written a whole post about this: Why every small business needs an AI policy.

Your cyber security policy sits alongside this. It covers how your business protects its data and systems — password management, device security, what to do in the event of a breach, and how you handle sensitive information day to day. With cyber incidents affecting businesses of all sizes, this is no longer something you can reasonably put off.

If you work with clients on their data, a set of GDPR guidelines for client projects is also worth having — a short internal document that sets out how you handle client data responsibly throughout an engagement.

Business Continuity Plan

What happens to your business if something goes wrong?

A business continuity plan, or BCP, is a document that answers that question before it becomes urgent. It covers things like: what happens if you're ill for an extended period, what your critical business functions are and how they'd be maintained in a crisis, who your key contacts are, where your important documents and login details are stored, and how you'd communicate with clients if something disrupted your normal operations.

For a solo operator or very small team, a BCP doesn't need to be complex. But having one means that if something unexpected happens, you or someone supporting you has a clear picture of what needs to happen next. It's also increasingly something larger clients and public sector organisations ask about as part of supplier due diligence.

Health and Safety Policy

If you have employees, you are legally required to have a health and safety policy in the UK once you have five or more staff. If you're a sole trader or very small team, it's still worth having a simple one in place.

For remote businesses, health and safety might feel like a theoretical concern. But it covers things like lone working, display screen equipment assessments for home workers, and your responsibilities if associates or contractors work on your behalf. A simple, honest document that reflects how your business actually operates is all you need.

Equality, Diversity and Inclusion Policy

An EDI policy sets out your commitment to treating everyone fairly, regardless of age, gender, race, disability, religion, sexual orientation or any other protected characteristic.

For small businesses, this document matters in a few ways. It sets the tone for your culture and values. It's often required if you work with public sector clients or apply for certain contracts. And it gives anyone working with or for you a clear sense of what you stand for.

It doesn't need to be long or corporate. The most effective EDI policies are the ones that reflect what the business genuinely believes rather than ticking a box.

The HR trio: Disciplinary, Grievance and Expenses Policies

If you have employees or regular associates, these three documents matter more than you might think.

A disciplinary policy sets out what happens if someone's conduct or performance falls below what's expected, and the process for handling that fairly. A grievance policy gives employees a clear route for raising concerns. An expenses policy sets out what can and cannot be claimed, and how.

Without these, you're navigating difficult conversations without a framework. With them, everyone knows where they stand.

What about a Carbon Reduction Plan?

This one is less universally required but worth knowing about. If you tender for public sector contracts over a certain value in the UK, you may be required to have a carbon reduction plan in place. The threshold and requirements have been evolving, so it's worth checking the current government guidance if this is relevant to your business.

So where do you start?

If you've read this list and felt a mixture of recognition and mild panic, you're not alone. Most small businesses have some of these documents and not others, or have versions that were written years ago and never updated.

The honest answer is: start with the ones that are legally required or that protect you most directly. Data protection and privacy policy, terms and conditions, and an AI usage policy if your team uses AI tools. Then work through the rest in order of relevance to your business.

If you'd like help getting these written, reviewed or updated, that's exactly the kind of work I do. I can help you work out which documents you actually need, build them in a way that reflects your business rather than copying a generic template, and make sure they're practical enough that people will actually use them.

Get in touch here and we can have a conversation about where to start. You can also find out more about the governance and compliance support I offer on my services page.

Victoria Lincoln is a fractional operations partner helping small businesses, start-ups and purpose-led organisations get their systems, processes and day-to-day running properly sorted. Hands-on delivery, without the overhead of a full-time hire. Working remotely from Devon across the UK and Ireland. Find out more at The Efficiency Partner.