Founders and leaders of early-stage companies, startups, and small businesses in Ireland without dedicated HR.
They'll learn exact mandatory policies required by law, contents needed, strongly recommended additions, and practical tips to implement simply while minimizing legal risks like claims and prosecutions.
Why Do Policies Matter for Small Companies? The instinct in an early-stage company is to move fast and treat formal documentation as something for later, when there are HR resources to manage it.
The problem is that employment law does not scale with headcount. A company with three employees has the same legal obligations as a company with three hundred in most respects, and the same exposure when things go wrong.
When a WRC claim is brought, whether for unfair dismissal, harassment, or a protected disclosure, one of the first things an adjudicator will ask is whether the company had relevant policies in place and whether they were followed. The absence of a policy is not a neutral fact. It is routinely used as evidence that the employer failed to take their obligations seriously.
Mandatory Policies Below we have set out the mandatory policies that a company must have in place.
Safety Statement Every employer in Ireland is required to have a written safety statement under Section 20 of the Safety, Health and Welfare at Work Act 2005.
The safety statement is a written document that identifies the hazards present in your workplace, assesses the risks those hazards create, and sets out the measures in place to manage them.
For an office-based company with a small team, this does not need to be an elaborate document: a concise, accurate statement that reflects your actual workplace is entirely sufficient. The Health and Safety Authority publishes guidance and templates for small businesses that can be adapted without significant effort.
What the statement must include:
Identification of workplace hazards (slips, trips, electrical equipment, screen-based work, lone working where relevant) An assessment of the risk level associated with each hazard The protective measures in place to eliminate or reduce each risk The names of the people responsible for safety in the workplace The arrangements for consulting with employees on safety matters The safety statement must be reviewed regularly, in practice, whenever something material changes in the workplace, and must be brought to the attention of all employees, particularly new starters.
Failure to have a safety statement in place can result in enforcement action by the Health and Safety Authority, including improvement notices and prosecution.
Dignity at Work Policy A dignity at work policy, sometimes called an anti-harassment or anti-bullying policy, is required under the Employment Equality Acts 1998–2015 and the Code of Practice for Employers and Employees on the Prevention and Resolution of Bullying at Work.
The policy sets out the company's commitment to a workplace free from harassment, sexual harassment, and bullying, and provides a mechanism for employees to raise complaints if they experience or witness such behaviour.
What it must cover:
A clear statement that harassment, sexual harassment, and bullying are unacceptable and will not be tolerated Definitions of what constitutes harassment, sexual harassment, and bullying under Irish law The informal and formal procedures available to an employee who wishes to raise a complaint A commitment to confidentiality throughout the process Protections against retaliation for employees who make a complaint in good faith The consequences of not having this policy are significant. Under the Employment Equality Acts, an employer can be held vicariously liable for acts of harassment committed by one employee against another; unless the employer can show they took reasonably practicable steps to prevent it. A written policy, communicated to all employees, is a core part of that defence.
Protected Disclosures Policy Any company with five or more employees is required to have a formal internal reporting channel and written protected disclosures policy under the Protected Disclosures (Amendment) Act 2022, which transposed the EU Whistleblowing Directive into Irish law.
For companies with fewer than five employees, a formal written policy is not legally mandated; but given that the underlying protections for whistleblowers apply from day one of employment regardless of company size, having even a basic policy in place is strongly advisable.
What the policy must address:
The channels through which an employee can make a protected disclosure: typically a named person or dedicated email address Acknowledgement that the report will be received within seven days and followed up within three months A commitment to confidentiality regarding the identity of the person making the disclosure The protections available to employees who make a protected disclosure in good faith, including protection from penalisation It is important to be aware that penalising an employee for making a protected disclosure, including dismissing them, demoting them, or subjecting them to any form of detriment, is one of the most serious categories of employment law violation in Ireland. Compensation awards can be significant, and the reputational consequences of a high-profile whistleblowing case are considerable.
Strongly Recommended Policies Below we have set out the policies that we would strongly recommend a company have in place.
Disciplinary Procedure A written disciplinary procedure is not technically a statutory requirement, but the Industrial Relations Act 1990 Code of Practice on Disciplinary Procedures and the WRC's Code of Practice on Grievance and Disciplinary Procedures set out the standards against which employer conduct is measured when a dismissal is challenged.
Every unfair dismissal case that comes before the WRC is assessed against these standards. If you do not have a written procedure, you are defending your actions against a benchmark you haven't published; which is a difficult position to be in.
What a basic disciplinary procedure should include:
The range of behaviours that may give rise to disciplinary action, including examples of gross misconduct The stages of the process: verbal warning, written warning, final written warning, dismissal The employee's right to be accompanied at each stage The right to appeal any disciplinary decision Confirmation that the procedure applies during probation, with appropriate modifications The procedure does not need to be lengthy. A clear, straightforward document of two to three pages is sufficient for most small companies.
Grievance Procedure A grievance procedure provides employees with a formal mechanism for raising concerns about their employment: pay disputes, working conditions, interpersonal issues, or management conduct.
Without a grievance procedure, employees who have concerns have no internal channel to exhaust before going to the WRC. In practice, this means minor issues that could have been resolved internally escalate into formal claims.
The grievance procedure should set out the informal and formal steps available to an employee, the timescales for responding at each stage, and the right to appeal. Like the disciplinary procedure, it does not need to be a complex document: clarity and accessibility matter more than length.
Data Protection Policy GDPR requires organisations that process personal data to implement appropriate technical and organisational measures to protect it. A written data protection policy is one of those organisational measures.
For a company with employees, data protection is unavoidable: you are processing personal data from the moment you collect CVs, issue payslips, or store contact details. A basic data protection policy should cover:
The categories of personal data the company collects and processes The legal basis for each category of processing How long data is retained before deletion The security measures in place to protect personal data The rights of individuals and how to exercise them, including the right to access, correct, and delete their data The process for responding to a data breach This policy should be communicated to employees as part of onboarding, and ideally referenced in the employment contract.
How Detailed Do Policies Need to Be for a Small Company? The honest answer is that policies for a small company do not need to be elaborate; but they do need to be real.
A safety statement that accurately reflects a three-person office is entirely valid. A dignity at work policy that runs to two pages but clearly covers the required ground is better than a ten-page document nobody reads. A disciplinary procedure that sets out the key stages in plain language is more useful than a dense document modelled on a corporate HR manual.
The key requirements are that policies:
Actually exist in writing and are not just understood informallyAre communicated to all employees : ideally at onboarding and referenced in the employment contractAre applied consistently : a policy that exists on paper but is never followed provides limited protectionKeeping all policies in a single accessible location, a shared drive folder, an employee handbook, or an onboarding document, makes it easier to demonstrate that employees were informed of them, which matters if a claim is ever made.
