Blog entry by Darren Bindert
If you run a small business, you have probably noticed that the phrase 'compliance training' comes up in a lot of conversations: with your insurance broker, in HR guidance you have read, in the supplier questionnaire a client sent last quarter, or in a tender you might have responded to. It sounds important. It is important. But the guidance on what compliance a small business is legally required to provide is often buried within regulatory frameworks designed for organisations with a dedicated HR team and a legal department.
This guide is for businesses with fewer than 200 employees that do not have a specialist L&D resource. It covers the main categories of compliance training for UK employees that employers must provide, distinguishes legal obligation from best practice, and explains what 'good' looks like when an auditor, regulator, or insurer asks for evidence.
One caveat before we begin: this guide provides general information, not legal advice. If you have specific concerns about your obligations, you should seek advice from an employment solicitor or your sector's trade body.
A distinction that matters most: legal requirement vs best practice
The single most useful thing to understand about compliance training in the UK is that the law rarely specifies a precise training programme. What it typically specifies is an outcome: that employees must be competent, informed, or aware of something. Training is the most common way to demonstrate that outcome, but it is rarely the only way.
This matters because it shifts the question from 'have our staff done a course?' to 'can we demonstrate that our staff understand what they need to understand, and that we have a system for keeping that information up to date?'. The difference between those two questions is the difference between a box-ticking exercise and a genuine compliance posture.
For most small businesses, the practical answer is: yes, your staff should complete training, and yes, you need a record of it. The training evidences the outcome. The record evidences the training. What follows is a breakdown of the main categories where this applies.
Health and safety training
The Health and Safety at Work etc. Act 1974 places a duty on employers to ensure, so far as is reasonably practicable, the health, safety, and welfare of their employees. The Management of Health and Safety at Work Regulations 1999 expand on this by requiring employers to actively manage workplace risk and provide adequate health and safety training when employees are recruited, when they move to a new role or their responsibilities change, and when new equipment or processes are introduced.
In practice, this means every employee should receive health and safety induction training when they start with a new employer. For most office-based businesses, this includes fire safety awareness, evacuation procedures, and basic workplace hazard awareness. For businesses in higher-risk sectors such as construction, manufacturing, hospitality, or care, the training requirements are more specific and often governed by sector-level regulations.
Specific areas to consider include:
• Fire safety: The Regulatory Reform (Fire Safety) Order 2005 requires employers to provide appropriate instruction and training to employees on fire safety. This applies to all businesses, regardless of size.
• Manual handling: Where employees regularly lift, carry, or move loads, the Manual Handling Operations Regulations 1992 require employers to provide training in safe technique. This is frequently overlooked in businesses outside of warehousing and logistics, but applies anywhere physical handling occurs.
• Display screen equipment (DSE): The Health and Safety (Display Screen Equipment) Regulations 1992 require employers to provide training to staff who regularly use screens as a significant part of their work. With hybrid and home working now standard across many small businesses, this is more relevant than it was a decade ago.
• First aid: The Health and Safety (First Aid) Regulations 1981 require employers to make adequate first aid provision. The level of provision depends on your workplace risk assessment and workforce size, but all employers must appoint an appropriate person to take charge in an emergency.
The Health and Safety Executive (HSE) does not prescribe how health and safety training must be delivered, but it does expect you to be able to demonstrate competence. For most SME’s, online training can satisfy this requirement for most categories, provided it covers the necessary content and produces a completion record.
Equality, diversity, and inclusion training
The Equality Act 2010 is the primary legislation governing equality in the workplace. It prohibits discrimination, harassment, and victimisation based on nine protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.
The Act does not require employers to provide equality training. However, where an employee harasses a colleague or customer, an employer can use the 'reasonable steps' defence to avoid liability, provided they can demonstrate they took reasonable steps to prevent the discriminatory behaviour from occurring. In practice, a court or employment tribunal will look for evidence of training, policy communication, and a genuine organisational commitment to equality.
This creates a strong practical case for equality and diversity training, even though it is not a strict legal mandate. For a small business, the risk of an employment tribunal claim is disproportionately damaging relative to the cost of prevention. Tribunal awards for discrimination claims are uncapped, and legal defence costs are significant regardless of outcome.
Equality training should cover the nine protected characteristics, what constitutes discrimination and harassment, reporting procedures, and manager responsibilities. It should be completed at induction and refreshed periodically, with records kept to support the reasonable steps defence if it is ever needed.
Data protection and UK GDPR awareness
The UK General Data Protection Regulation (UK GDPR), implemented via the Data Protection Act 2018, applies to every business that processes personal data about employees, customers, or suppliers. The Information Commissioner's Office (ICO) expects organisations to ensure that staff handling personal data understand their responsibilities under the legislation.
Formal training is not explicitly mandated by the UK GDPR, but the regulation's accountability principle requires organisations to demonstrate compliance. Following a data breach, the ICO will assess whether staff were adequately trained as part of its investigation. Where a breach results from staff error, lack of training is a significant aggravating factor in enforcement decisions.
At a minimum, staff who handle personal data should understand what personal data is, the lawful bases for processing, how to handle subject access requests, how to recognise and report a data breach, and the basics of data security. For most small businesses, a well-designed online awareness course, completed at induction and annually thereafter, is sufficient. Records of completion should be retained.
Managing compliance training across these categories manually is time-consuming and difficult to evidence. SkillsCircle includes pre-built, CPD-certified compliance courses covering health and safety, equality and diversity, data protection, modern slavery, and cyber security awareness, all delivered through a ready-made SaaS LMS designed for businesses of your size. See what's included.
Modern slavery awareness
The Modern Slavery Act 2015 requires commercial organisations with an annual turnover of £36 million or more to publish an annual slavery and human trafficking statement. Many small businesses know this threshold and conclude, correctly, that the statutory reporting requirement does not apply to them.
However, there is a growing practical obligation that sits below that threshold and affects businesses of any size. Larger organisations subject to the reporting requirement are increasingly requiring their suppliers, including small businesses in their supply chain, to demonstrate awareness training as part of procurement and supplier onboarding processes. Public sector contracts, in particular, routinely ask suppliers to evidence their approach to modern slavery as a condition of award.
Modern slavery awareness training typically covers how to recognise the signs of forced labour, labour exploitation, and human trafficking; the reporting channels available; and the organisation's obligations under its own supplier code of conduct. For a small business in a B2B supply chain, completing and documenting this training is increasingly a commercial requirement as much as an ethical one.
Cybersecurity awareness training
There is no single piece of legislation that directly mandates cybersecurity awareness training for UK businesses. The obligation is instead distributed across several frameworks.
Under UK GDPR, organisations must implement appropriate technical and organisational measures to protect personal data. Staff awareness is considered an organisational measure, and the ICO's post-breach investigations consistently highlight inadequate training as a contributing factor in incidents caused by human error, which remain the most common cause of reported data breaches.
Beyond regulation, there is a growing insurance dimension. Cyber insurance underwriters increasingly require evidence of staff training as a condition of policy, and some policies specifically require training that covers phishing awareness, password hygiene, and safe handling of sensitive data. A business that cannot produce training records may find its cover voided following a claim.
At a practical level, cybersecurity awareness training for small business employees should cover: recognising phishing and social engineering attempts, creating and managing strong passwords, understanding the risks of public Wi-Fi, reporting suspected incidents promptly, and the basics of safe data handling. Annual refresh training, with a completion record, is the standard expectation.
The part most small businesses get wrong: record keeping
Completing training is half the task. Being able to prove it was completed is the other half, and it is where most small businesses without a dedicated LMS or HR system fall down.
When the HSE investigates a workplace incident, when an employment tribunal examines whether an employer took reasonable steps, when the ICO looks into a data breach, or when a procurement team asks you to complete a supplier questionnaire, they are not asking whether training happened. They are asking for evidence. A spreadsheet with names and dates, a folder of scanned certificates, or an email trail from two years ago are not equivalent to a structured completion record with timestamps, pass scores, and certificate downloads.
The practical requirements for a defensible training record are straightforward: a dated record of who completed which training, when, and with what result; a mechanism for flagging when renewals are due; and a way to retrieve that evidence quickly when it is requested. For a business with ten to two hundred employees, managing this manually may be workable at first, but it becomes progressively more error-prone as staff numbers, staff turnover increases and renewal cycles compound.
Pulling it together: a practical checklist
For a UK business with under 200 employees, the minimum defensible compliance training programme should cover:
• Health and safety induction (legal requirement, all employees, on joining)
• Fire safety awareness (legal requirement, all employees, annually or when procedures change)
• Manual handling (legal requirement where relevant, on joining and when tasks change)
• Display screen equipment (legal requirement for regular screen users)
• Equality, diversity, and inclusion (strong practical requirement, all employees, at induction and every 1-2 years)
• Data protection and UK GDPR awareness (accountability obligation, all employees handling personal data, annually)
• Cyber security awareness (insurance and regulatory expectation, all employees, annually)
• Modern slavery awareness (supply chain and procurement expectation, relevant employees, annually)
Sector-specific requirements may extend this list. Businesses in health and social care, food handling, construction, financial services, or education will have additional obligations governed by their sector regulator, and those should be mapped separately.
How SkillsCircle helps
SkillsCircle is a ready-made learning management system built specifically for small and medium-sized businesses. It comes pre-loaded with CPD-certified compliance courses covering every category in the checklist above, including health and safety, equality and diversity, data protection, cybersecurity awareness, and modern slavery. There is no setup time, no content to build, and no specialist resource required. Staff can be enrolled and completing training within a working day, with completion records and certificates generated automatically.