GRC Analyst

We have an exciting opportunity for two GRC Analysts to join our award-winning Business Change and Technology team on a 12-month Fixed Term contract. You will be based in Birmingham City Centre in a hybrid working role.

The GRC Analyst’s will support our governance, risk, and compliance activities, with a strong focus on third-party risk management and data protection assurance across the organisation. Reporting to the IT Licensing & Compliance Manager, the GRC Analysts will assess third-party suppliers, particularly those processing or storing personal identifiable information (PII), review how PII is used within M&B, ensure data minimisation principles are applied, challenge unnecessary processing, and document associated risks and recommended actions.

Here at Mitchells & Butlers, we own and run more than 1,600 pubs, bars and restaurants including the stylish All Bar One brand, Miller & Carter steakhouses, Toby Carvery, and our Mediterranean Brands Ego & Pesto. We are Mitchells & Butlers, and we set the industry standard within hospitality.

You will be well rewarded:

• Working 35 hours per week, Monday to Friday, with flexibility around your personal commitments.
• 33% off at all our brands, including our hotels. Whether it’s date night at Miller & Carter or a family roast at Toby Carvery, we’ve got you covered.
• A pension that pays, where we’ll more than match your contributions (x1.5 of your contributions, up to a maximum of 5% of your salary).
• Private healthcare, dental plan, cycle-to-work, and keep-fit schemes.
• 26 days annual leave plus bank holidays.

Third Party Risk Management

• Conduct and coordinate security and privacy risk assessments for new and existing suppliers.
• Evaluate supplier controls relating to data protection, information security, data hosting, and subcontractor usage.
• Catalogue and maintain records of M&B data shared with third parties, including purpose of use, information security classification, data sensitivity, and processing location.
• Ensure third-party data handling arrangements define and document data retention, archiving, and deletion requirements, in line with M&B policies and regulatory obligations.
• Perform data cataloguing activities directly, or coordinate with teams across BC&T to ensure responsibilities for data ownership and maintenance are clearly assigned.
• Support Vendor Management, Procurement, Legal, and Information Security in embedding supplier assurance throughout onboarding, renewal, and contract processes.
• Maintain risk documentation for third-party assurance activities and follow up on remediation actions.
• Track agreed remediation actions with suppliers and internal teams.
• Work with Vendor Management, Procurement, Legal, Information Security, and IT to ensure supplier risks are identified early and addressed before onboarding.
• Escalate high-risk findings to the IT Licensing & Compliance Manager and relevant stakeholders.

Data Protection & GDPR Compliance (Support Function)

• Review how personal data is used across M&B systems, processes, and vendor solutions.
• Maintain visibility of third-party personal data usage, ensuring data classification, sensitivity, and lifecycle controls are clearly documented.
• Ensure data minimisation by identifying where unnecessary PII is collected or retained, and challenge business teams or vendors to reduce processing.
• Document identified PII risks, gaps, and recommended actions in line with M&B risk management processes.
• Identify opportunities to reduce or eliminate PII processing where not essential to business needs.
• Support business functions by providing technical context, risk findings, and assessments related to personal data processing.

Governance, Risk & Compliance

• Support the review, development, and rollout of information security and data protection policies.
• Contribute to the management of Information Security risk registers and compliance monitoring processes.
• Support the IT Licensing & Compliance Manager by producing regular compliance reports, dashboards, and metrics for management and senior stakeholders.
• Assist with internal and external audits (GDPR assurance, PCI DSS, Financial).
• Support control reviews and policy adoption across the organisation.
• Maintain compliance tracking, including third-party risks, data lifecycle controls, and PII-related risks.

Security & Privacy Operations Support

• Track remediation of identified compliance issues and work with teams to ensure timely closure.
• Support incident response activities, particularly where third-party data access or personal data processing is involved.
• Review and document business and supplier processes to support governance, risk, and compliance activities.
• Provide clear, auditable documentation for assessments, risks, data handling decisions, and approvals.

What you’ll need to bring to the GRC Analyst role:

• Understanding of GDPR, UK Data Protection Act, and privacy/security control requirements.
• Experience conducting supplier assurance or security due diligence reviews.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Strong written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience in large hospitality, or multi-site environments.
• Experience contributing to incident or breach investigations.
• The ability to think laterally and constructively question established process.
• Able to manage multiple concurrent or competing demands.
• Confident and able to say no where appropriate.
• Positively works with stakeholders to find reasonable and pragmatic solutions to issues.

• Minimum of 3 years of experience in GRC, information security, data protection, supplier assurance, or a related compliance role.
• CIPP/E, CIPM, CompTIA Security+, BCS Practitioner Certificate in Data Protection desirable.

What makes Mitchells & Butlers a great place to work?

To us, a career isn’t just about ‘clocking in’. We really care about our colleagues, and we’re an employer that keeps a promise. In fact, as one of the largest employers in the country, with over 44,000 people working for us, we have the responsibility of valuing every contribution from a diverse workforce that are representative of our guests, and who make us stronger.

At M&B we value the unique perspectives each person brings. We believe that by fostering a culture of inclusion, respect, and allyship, we create a sense of belonging, engagement and teamwork which are essential to delivering great guest experiences.Join us and be a part of a great team

Closing Date - 11.59pm on Wednesday 4th February 2026