A lot of Indian companies operate on trust, habit, and informal understanding when it comes to HR. The rules exist somewhere in someone’s head, or in a document that was written five years ago and has not been touched since. This works until it does not.
A workplace dispute, a regulatory inspection, an ISO audit, or simply a senior employee leaving and taking institutional knowledge with them. Any of these can expose how much your HR framework depends on informal systems.
This is not about creating paperwork for the sake of it. Documented HR policies protect both the employer and the employee. They set clear expectations, reduce the room for disputes, and give your organization a defensible position when things go wrong.
Here is a comprehensive list of HR policies every Indian company should have in place in 2026, along with why each one matters.
Policies Required Under Indian Law
These are not optional. If your organization meets the applicable thresholds, you are legally required to have these in place.
Prevention of Sexual Harassment (POSH) Policy
Mandatory for all organizations with 10 or more employees under the Sexual Harassment of Women at Workplace Act, 2013. The policy must define what constitutes sexual harassment, outline the complaint process, and detail the Internal Complaints Committee (ICC) structure. Beyond legal compliance, having a well-documented and communicated POSH policy is increasingly a requirement for enterprise clients and ISO certifications.
Maternity Benefit Policy
Under the Maternity Benefit (Amendment) Act, 2017, women employees are entitled to 26 weeks of paid maternity leave for the first two children. Organizations with 50 or more employees must also provide creche facilities. Indian courts have increasingly held that maternity leave should not be treated as a break in service. This has direct implications for how organizations calculate seniority, increments, and continuity of benefits during maternity leave. Your HR policy should explicitly reflect this, not just document the leave entitlement but also clarify how the period is treated for all service-related calculations.
Gratuity Policy
Applicable to organizations with 10 or more employees under the Payment of Gratuity Act, 1972. Employees who have completed five or more years of continuous service are entitled to gratuity on separation. The policy should document eligibility, calculation methodology, and the payout process to avoid disputes at the time of exit. For a deeper walkthrough of how the calculation works, see our complete guide to gratuity rules in India.
Provident Fund and ESI Policy
EPF contributions are mandatory for organizations with 20 or more employees under the framework administered by the Employees’ Provident Fund Organisation. ESIC applies to organizations with 10 or more employees where individual salaries fall below the threshold. Employees frequently have questions about contribution rates, UAN activation, and withdrawal. A clear documented policy reduces the load on your HR team and sets the right expectations from day one.
Core HR Policies Every Organization Needs
These are not legally mandated in the same way, but they form the operational backbone of your HR function. Absence of any of these creates ambiguity that eventually costs you.
Leave Policy
This should cover all leave types including earned leave, casual leave, sick leave, compensatory off, optional holidays, and any special leaves your organization offers. It should also specify accrual rules, carry-forward limits, encashment terms, and the application process. Vague leave policies are one of the most common sources of employee dissatisfaction in Indian workplaces.
Code of Conduct Policy
This defines acceptable and unacceptable behavior in the workplace, including standards for professional conduct, conflict of interest, social media use, and interactions with clients and vendors. A documented code of conduct is your first line of defense in any disciplinary proceeding. Without it, enforcing behavioral standards becomes legally complicated.
Recruitment and Hiring Policy
Documents the end-to-end hiring process including sourcing, interview stages, offer approval, background verification, and onboarding. This is particularly important for growing companies where hiring is decentralized across business units and inconsistency in the process creates compliance gaps.
Performance Management Policy
Covers the appraisal cycle, rating methodology, goal-setting process, and how performance outcomes link to increments, promotions, and exits. When this is not documented, performance-related separations are almost always challenged by employees. A clear policy makes the process defensible.
Separation and Exit Policy
Should cover resignation procedures, notice period terms, full and final settlement timelines, exit interviews, and asset return. In India, notice period disputes and delayed F&F settlements are extremely common. A well-documented exit policy significantly reduces friction and potential legal exposure at the time of separation.
Grievance Redressal Policy
Employees need a formal, documented channel to raise concerns beyond their immediate manager. This policy should define the escalation path, response timelines, and how confidentiality is maintained. Organizations that lack this often find minor grievances escalating into formal complaints or labor disputes simply because employees had no structured outlet.
Data, IT, and Confidentiality Policies
With the DPDP Act now in effect, these policies have moved from best practice to a compliance requirement for most organizations.
Policies, simplified with AI-powered automation
Book a 20-minute demo to see how PolicyCentral.ai streamlines policy creation, distribution, and compliance across your enterprise.
Book a DemoData Privacy and Protection Policy
Covers how the organization collects, stores, processes, and protects personal data of employees, customers, and third parties. Under the Digital Personal Data Protection Act, 2023, organizations are required to demonstrate employee awareness of data handling obligations. This policy, combined with documented acknowledgement from all employees, is the foundation of that compliance. PolicyCentral.ai’s Security & Compliance feature handles the acknowledgement-tracking side of that natively.
IT Acceptable Use Policy
Defines how employees are expected to use company devices, networks, software, and email. Covers what is permitted, what is prohibited, and what monitoring the organization conducts. This policy is a baseline requirement for ISO 27001 and is increasingly reviewed by enterprise clients during vendor due diligence.
Confidentiality and Non-Disclosure Policy
Separate from the NDA that employees sign at onboarding, an internal confidentiality policy documents ongoing obligations around handling sensitive business information, client data, and proprietary processes. This is particularly important for organizations where employees regularly handle client data or work on sensitive projects.
Policies That Are Increasingly Expected in 2026
These may not be legally mandated for all organizations but are becoming standard expectations, particularly for companies dealing with enterprise clients, global teams, or regulatory scrutiny.
Remote and Hybrid Work Policy
Covers eligibility, working hour expectations, equipment provision, data security obligations for remote workers, and attendance norms. With hybrid work now a permanent feature for many Indian companies, leaving this undocumented creates confusion and inconsistency. For a deep dive on what to document and why, see our guide to building a WFH policy that holds up in 2026.
Expense Reimbursement Policy
Defines what is reimbursable, approval workflows, submission timelines, and documentation requirements. Expense disputes are a recurring source of friction between employees and finance teams when this is not clearly documented.
Social Media Policy
Outlines what employees can and cannot say publicly about the organization, its clients, and its competitors. Particularly relevant for client-facing teams and employees in senior roles.
Whistleblower Policy
Provides employees a protected channel to report unethical conduct, fraud, or compliance violations without fear of retaliation. Listed companies in India are required to have this under SEBI’s LODR Regulations, but it is good practice for any organization of meaningful size.
Drug and Alcohol Policy
Defines the organization’s stance on substance use, particularly relevant for manufacturing, logistics, and safety-critical environments.
Having Policies Is Only Half the Job
Many organizations have most of these policies written somewhere. The gap is not in documentation, it is in distribution, acknowledgement, and maintenance.
A policy that exists in a shared drive but has not been formally communicated, acknowledged, or updated in three years offers very limited protection. When a dispute arises or an auditor asks for evidence, what matters is whether the employee was made aware of the policy and formally confirmed their understanding. A document sitting in a folder does not prove that.
This is the gap that policy management software closes. Platforms like PolicyCentral.ai ensure that every policy reaches the right employees, acknowledgements are tracked with digital signatures, and the entire record is audit-ready at any point. When policies are updated, the system automatically notifies affected employees and captures fresh acknowledgements. Nothing falls through the cracks.
For HR teams managing a growing organization, this removes an enormous administrative burden and replaces it with a process that runs largely on its own.
Where to Start
If you are building your HR policy framework from scratch, start with the legally mandated ones. Get your POSH policy, leave policy, and statutory benefit policies documented and distributed first. Then layer in the core operational policies like code of conduct, performance management, and exit.
If you already have most of these in place, the more useful exercise is an audit of what you have. Check when each policy was last reviewed, whether it reflects current law and practice, and whether you have acknowledgement records from your current workforce. You may find the policies exist but the system around them does not.
Either way, the goal is the same. Policies that are current, accessible, and traceable. That is what protects the business and builds a workplace people can actually trust.
Frequently Asked Questions
Which HR policies are legally mandatory in India, and at what employee thresholds?
The headline statutory triggers are: POSH (10+ employees), Gratuity (10+), ESIC (10+ where individual salaries fall below the wage threshold), EPF (20+), Maternity Benefit (10+, with creche facilities required at 50+). Sector-specific rules and state Shops and Establishments Acts add further requirements.
Do startups under 10 employees still need a POSH policy?
The Sexual Harassment of Women at Workplace Act 2013 mandates an Internal Complaints Committee for organizations with 10 or more employees. For smaller organizations, complaints are handled through the Local Complaints Committee at the district level. That said, having a documented POSH policy and reporting channel is good practice from day one, especially because most enterprise clients ask for it during vendor due diligence regardless of headcount.
How often should HR policies be reviewed?
Annual review is a defensible baseline. Trigger an off-cycle review when the law changes (e.g., a new amendment to the Maternity Benefit Act or a fresh DPDP rule), when an internal incident exposes a gap, or when the organization crosses a threshold (10, 20, 50, 100 employees) that brings new statutory obligations into scope.
Is employee acknowledgement of HR policies legally required?
Acknowledgement is not a single statutory requirement, but it is what makes a policy enforceable in practice. In disciplinary proceedings, performance-linked separations, POSH inquiries, and DPDP audits, the recurring question is “was the employee aware of the policy?” A document with a dated digital signature is the cleanest answer.
Does the DPDP Act require employee training on data handling?
The Digital Personal Data Protection Act, 2023 places clear obligations on data fiduciaries to ensure personal data is handled lawfully. Employee awareness and documented acknowledgement of the data privacy policy are the foundational evidence regulators look for. Periodic training is strongly recommended even where not explicitly mandated.
What if an HR policy contradicts current law because it has not been updated?
The law prevails. Where the policy is more generous than the statute, the policy is enforceable. Where the policy is less generous, the statute kicks in. The risk is reputational and operational: an outdated policy sets the wrong expectation with employees and creates avoidable disputes when the gap surfaces.
Can HR policies be common across multiple group companies?
Yes, with caveats. The framework can be shared, but state-specific obligations (like Shops and Establishments Acts), entity-specific contractual terms, and SEZ-specific compliance need to be reflected per entity. Policy management platforms make this easier by allowing one master policy with entity-level overrides and acknowledgement tracked at the right legal entity.
