Spring clean your business’s contracts and policies

As your business grows and the legal landscape continues to shift, scheduling an annual “spring clean” of your contracts and internal policies is a smart way to stay compliant and ahead of risk. With significant changes now in force across data protection and employment law in 2025/26, this year’s review is especially important. Updating your documents and processes not only ensures legal compliance, but also highlights where your teams may need further training to support the smooth running of your organisation.

Review your contracts

Your business will most likely have several commercial contracts in place with suppliers, staff and contractors. Now is a good time to take a note and diarise the date you must provide written notice to terminate any supplier contracts, especially if you are considering an alternative supplier due to the changing needs of your business or because you need to save on operating costs.

You may need legal advice on service provision changes, such as changing suppliers or bringing services in-house, such as changing the supplier of your outsourced IT support. Your existing contract with your current supplier may contain provisions confirming whether TUPE applies, but if you are unsure or need to learn more about this, you should seek legal advice.

It’s important that you understand the consequences of terminating supplier contracts, including managing confidential information and personal data to limit your risks and ensure your business is adhering to its legal and regulatory obligations.

Data protection policies and procedures

It’s also important to review your data protection policies and procedures, especially now that the Data (Use and Access) Act 2025 (DUAA) became law in February 2026. The DUAA introduces several key changes to UK GDPR, including:

• allowing more situations where automated decisions about individuals are permitted, as long as you provide safeguards like transparency, a way for people to challenge decisions, and access to human review
• a new lawful basis called “recognised legitimate interests” lets organisations justify certain processing more easily, without the full balancing test
• DSARs and purpose‑limitation rules are clearer, making it easier to understand what’s required when responding to requests or repurposing data
• upcoming changes to cookies and tracking technologies will relax some consent requirements once the related PECR amendments take effect.

With many of these changes already operational and others due by mid 2026, businesses consider whether a Data Protection Impact Assessment (DPIA) is required for any new technology, including AI tools, to ensure compliance with the strengthened safeguards around automated decision making and data use.

Employment contracts and policies

Your business should periodically review employment contracts and policies, particularly given the substantial reforms rolling out under the Employment Rights Act 2025 and the Government’s plan to Make Work Pay. Key changes taking effect in 2026 include:

• Statutory Sick Pay (SSP) is now payable from day one, with the waiting period removed and no minimum earnings threshold.
• Paternity Leave and Unpaid Parental Leave have become day‑one rights, removing the previous 26‑week and 12‑month qualifying periods.
• Bereaved Partner’s Paternity Leave allows up to 52 weeks’ leave if the mother or primary adopter dies within the first year.
• Collective redundancy protective awards are doubled from 90 to 180 days’ pay for failure to comply with consultation obligations.
• Strengthened whistleblowing protections, extended to cover disclosures relating to sexual harassment.

Use of AI by businesses

Generally, the use of AI is a useful tool for many businesses, making tasks faster and allowing staff to work more efficiently, but its use should be part of a careful strategy.

Whilst there will undoubtedly be cost savings, there can be pitfalls your business needs to be aware of to avoid breaches of copyright and confidentiality obligations. As a decision maker, currently, it would not be advisable to rely on AI completely without staff carrying out independent checks.

If you do plan on using AI within your business, or increasing its use, you should introduce an AI policy to ensure your staff are clear about how it may or may not be used as part of their day to day work responsibilities, and so you can build in appropriate checks and test its use and ensure that such use aligns with your business’s overall strategy.

With the DUAA now expanding the circumstances in which automated decision making is permitted (subject to safeguards), businesses should ensure any AI systems used for decisions affecting individuals are assessed carefully and documented appropriately

Business spring clean: next steps

The above points are just a selection of the areas you may want to consider in your business spring clean and can be incorporated into annual reviews, or your existing auditing to ensure that your business continues to comply with current law, regulations and best practices.

For advice on commercial contracts and policies, please contact Sarah Liddiard, senior commercial lawyer. For support with employment contracts and workplace policies, please contact partner Michael Kerrigan.