We have an exciting opportunity for two GRC Analysts to join
our award-winning Business Change and Technology team on a 12-month Fixed Term
contract. You will be based in Birmingham City Centre in a hybrid working role.
The GRC Analyst's will support our
governance, risk, and compliance activities, with a strong focus on third-party
risk management and data protection assurance across the organisation.
Reporting to the IT
Licensing & Compliance Manager, the GRC Analyst's will assess third-party
suppliers, particularly those processing or storing personal identifiable
information (PII), reviews how PII is used within M&B, ensures data
minimisation principles are applied, challenges unnecessary processing, and document associated risks and recommended actions.
Here at Mitchells & Butlers, we own and run more than
1,600 pubs, bars and restaurants including the stylish All Bar One brand,
legendary Miller & Carter steakhouses, and the iconic Toby Carvery,
alongside our Mediterranean Brands Ego & Pesto. We are Mitchells
& Butlers, and we set the industry standard within hospitality.
You will be well rewarded: -
* Working 35 hours per week, Monday to Friday, with
flexibility around your personal commitments.
* 33% off at all our brands, including our hotels.
Whether it's date night at Miller & Carter or a family roast at Toby
Carvery, we've got you covered.
* A pension that pays, where we'll more than match
your contributions (x1.5 of your contributions, up to a maximum of 5% of
your salary).
* Private healthcare, dental plan, cycle-to-work, and
keep-fit schemes.
* 26 days annual leave plus bank holidays.
The Opportunity – GRC Analyst:
Third Party Risk
Management
* Conduct and coordinate security and privacy
risk assessments for new and existing suppliers.
* Evaluate supplier controls relating to data
protection, information security, data hosting, and subcontractor usage.
* Catalogue and maintain records of M&B
data shared with third parties, including purpose of use, information security
classification, data sensitivity, and processing location.
* Ensure third-party data handling
arrangements define and document data retention, archiving, and deletion
requirements, in line with M&B policies and regulatory obligations.
* Perform data cataloguing activities
directly, or coordinate with teams across BC&T to ensure responsibilities
for data ownership and maintenance are clearly assigned.
* Support Vendor Management, Procurement,
Legal, and Information Security in embedding supplier assurance throughout
onboarding, renewal, and contract processes.
* Maintain risk documentation for third-party
assurance activities and follow up on remediation actions.
* Track agreed remediation actions with
suppliers and internal teams.
* Work with Vendor Management, Procurement,
Legal, Information Security, and IT to ensure supplier risks are identified
early and addressed before onboarding.
* Escalate high-risk findings to the IT
Licensing & Compliance Manager and relevant stakeholders.
Data Protection
& GDPR Compliance (Support Function)
* Review how personal data is used across
M&B systems, processes, and vendor solutions.
* Maintain visibility of third-party personal
data usage, ensuring data classification, sensitivity, and lifecycle controls
are clearly documented.
* Ensure data minimisation by identifying
where unnecessary PII is collected or retained, and challenge business teams or
vendors to reduce processing.
* Document identified PII risks, gaps, and
recommended actions in line with M&B risk management processes.
* Identify opportunities to reduce or
eliminate PII processing where not essential to business needs.
* Support business functions by providing
technical context, risk findings, and assessments related to personal data
processing.
Governance, Risk
& Compliance
* Support the review, development, and rollout
of information security and data protection policies.
* Contribute to the management of Information
Security risk registers and compliance monitoring processes.
* Support the IT Licensing & Compliance
Manager by producing regular compliance reports, dashboards, and metrics for
management and senior stakeholders.
* Assist with internal and external audits
(GDPR assurance, PCI DSS, Financial).
* Support control reviews and policy adoption
across the organisation.
* Maintain compliance tracking, including
third-party risks, data lifecycle controls, and PII-related risks.
Security &
Privacy Operations Support
* Track remediation of identified compliance
issues and work with teams to ensure timely closure.
* Support incident response activities,
particularly where third-party data access or personal data processing is
involved.
* Review and document business and supplier
processes to support governance, risk, and compliance activities.
* Provide clear, auditable documentation for
assessments, risks, data handling decisions, and approvals.
What you'll need to bring to the GRC Analyst role:
-
* Understanding of GDPR, UK Data Protection
Act, and privacy/security control requirements.
* Experience conducting supplier assurance or
security due diligence reviews.
* Ability to interpret and assess technical
and organisational controls.
* Strong analytical skills with excellent
attention to detail.
* Strong written and verbal communication
skills, able to engage across legal, technical, and operational teams.
* Experience in large hospitality, or
multi-site environments.
* Experience contributing to incident or
breach investigations.
* The
ability to think laterally and constructively question established process.
* Able to
manage multiple concurrent or competing demands.
* Confident
and able to say no where appropriate.
* Positively
works with stakeholders to find reasonable and pragmatic solutions to
issues.
Qualifications:
* Minimum of 3
years of experience in GRC, information security, data protection,
supplier assurance, or a related compliance role.
* CIPP/E, CIPM,
CompTIA Security+, BCS Practitioner Certificate in Data Protection
desirable.
What makes Mitchells & Butlers a great place to
work?
To us, a career isn't just about 'clocking in'. We really
care about our colleagues, and we're an employer that keeps a promise. In fact,
as one of the largest employers in the country, with over 44,000 people working
for us, we have the responsibility of valuing every contribution from a diverse
workforce that are representative of our guests, and who make us
stronger.
At M&B we value the unique perspectives each person
brings. We believe that by fostering a culture of inclusion, respect, and
allyship, we create a sense of belonging, engagement and teamwork which are
essential to delivering great guest experiences. Join us and be a part
of a great team
Closing Date pm on Wednesday 4th February 2026