Mitchells & Butlers PLC
GRC Analyst
⭐ - Featured Role | Apply direct with Data Freelance Hub
This role is for a GRC Analyst on a 12-month contract in Birmingham City Centre. Key skills include GDPR knowledge, supplier assurance experience, and strong analytical abilities. A minimum of 3 years in GRC or related compliance roles is required.
🌎 - Country
United Kingdom
💱 - Currency
£ GBP
-
💰 - Day rate
Unknown
-
🗓️ - Date
February 26, 2026
🕒 - Duration
More than 6 months
-
🏝️ - Location
Hybrid
-
📄 - Contract
Fixed Term
-
🔒 - Security
Unknown
-
📍 - Location detailed
Birmingham, England, United Kingdom
-
🧠 - Skills detailed
#Data Access #Classification #GDPR (General Data Protection Regulation) #Licensing #Data Catalog #Data Lifecycle #Documentation #Security #PCI (Payment Card Industry) #Scala #Monitoring #Compliance #Data Processing
Role description
We have an exciting opportunity for two GRC Analysts to join our award-winning Business Change and Technology team on a 12-month Fixed Term contract. You will be based in Birmingham City Centre in a hybrid working role.
The GRC Analyst’s will support our governance, risk, and compliance activities, with a strong focus on third-party risk management and data protection assurance across the organisation.
Reporting to the IT Licensing & Compliance Manager, the GRC Analyst’s will assess third-party suppliers, particularly those processing or storing personal identifiable information (PII), reviews how PII is used within M&B, ensures data minimisation principles are applied, challenges unnecessary processing, and associated risks and recommended actions.
Here at Mitchells & Butlers, we own and run more than 1,600 pubs, bars and restaurants including the stylish All Bar One brand, legendary Miller & Carter steakhouses, and the iconic Toby Carvery, alongside our Mediterranean Brands Ego & Pesto. We are Mitchells & Butlers, and we set the industry standard within hospitality.
You will be well rewarded: -
• Working 35 hours per week, Monday to Friday, with flexibility around your personal commitments.
• 33% off at all our brands, including our hotels. Whether it’s date night at Miller & Carter or a family roast at Toby Carvery, we’ve got you covered.
• A pension that pays, where we’ll more than match your contributions (x1.5 of your contributions, up to a maximum of 5% of your salary).
• Private healthcare, dental plan, cycle-to-work, and keep-fit schemes.
• 26 days annual leave plus bank holidays.
The Opportunity – GRC Analyst
Third Party Risk Management
• Conduct and coordinate security and privacy risk assessments for new and existing suppliers.
• Evaluate supplier controls relating to data protection, information security, data hosting, and subcontractor usage.
• Catalogue and maintain records of M&B data shared with third parties, including purpose of use, information security classification, data sensitivity, and processing location.
• Ensure third-party data handling arrangements define and document data retention, archiving, and deletion requirements, in line with M&B policies and regulatory obligations.
• Perform data cataloguing activities directly, or coordinate with teams across BC&T to ensure responsibilities for data ownership and maintenance are clearly assigned.
• Support Vendor Management, Procurement, Legal, and Information Security in embedding supplier assurance throughout onboarding, renewal, and contract processes.
• Maintain risk documentation for third-party assurance activities and follow up on remediation actions.
• Track agreed remediation actions with suppliers and internal teams.
• Work with Vendor Management, Procurement, Legal, Information Security, and IT to ensure supplier risks are identified early and addressed before onboarding.
• Escalate high-risk findings to the IT Licensing & Compliance Manager and relevant stakeholders.
Data Protection & GDPR Compliance (Support Function)
• Review how personal data is used across M&B systems, processes, and vendor solutions.
• Maintain visibility of third-party personal data usage, ensuring data classification, sensitivity, and lifecycle controls are clearly documented.
• Ensure data minimisation by identifying where unnecessary PII is collected or retained, and challenge business teams or vendors to reduce processing.
• Document identified PII risks, gaps, and recommended actions in line with M&B risk management processes.
• Identify opportunities to reduce or eliminate PII processing where not essential to business needs.
• Support business functions by providing technical context, risk findings, and assessments related to personal data processing.
Governance, Risk & Compliance
• Support the review, development, and rollout of information security and data protection policies.
• Contribute to the management of Information Security risk registers and compliance monitoring processes.
• Support the IT Licensing & Compliance Manager by producing regular compliance reports, dashboards, and metrics for management and senior stakeholders.
• Assist with internal and external audits (GDPR assurance, PCI DSS, Financial).
• Support control reviews and policy adoption across the organisation.
• Maintain compliance tracking, including third-party risks, data lifecycle controls, and PII-related risks.
Security & Privacy Operations Support
• Track remediation of identified compliance issues and work with teams to ensure timely closure.
• Support incident response activities, particularly where third-party data access or personal data processing is involved.
• Review and document business and supplier processes to support governance, risk, and compliance activities.
• Provide clear, auditable documentation for assessments, risks, data handling decisions, and approvals.
What you’ll need to bring to the GRC Analyst role: -
• Understanding of GDPR, UK Data Protection Act, and privacy/security control requirements.
• Experience conducting supplier assurance or security due diligence reviews.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Strong written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience in large hospitality, or multi-site environments.
• Experience contributing to incident or breach investigations.
• The ability to think laterally and constructively question established process.
• Able to manage multiple concurrent or competing demands.
• Confident and able to say no where appropriate.
• Positively works with stakeholders to find reasonable and pragmatic solutions to issues.
Qualifications
• Minimum of 3 years of experience in GRC, information security, data protection, supplier assurance, or a related compliance role.
• CIPP/E, CIPM, CompTIA Security+, BCS Practitioner Certificate in Data Protection desirable.
What makes Mitchells & Butlers a great place to work?
To us, a career isn’t just about ‘clocking in’. We really care about our colleagues, and we’re an employer that keeps a promise. In fact, as one of the largest employers in the country, with over 44,000 people working for us, we have the responsibility of valuing every contribution from a diverse workforce that are representative of our guests, and who make us stronger.
At M&B we value the unique perspectives each person brings. We believe that by fostering a culture of inclusion, respect, and allyship, we create a sense of belonging, engagement and teamwork which are essential to delivering great guest experiences. Join us and be a part of a great team
Closing Date - 11.59pm Wednesday 4th March 2026
We have an exciting opportunity for two GRC Analysts to join our award-winning Business Change and Technology team on a 12-month Fixed Term contract. You will be based in Birmingham City Centre in a hybrid working role.
The GRC Analyst’s will support our governance, risk, and compliance activities, with a strong focus on third-party risk management and data protection assurance across the organisation.
Reporting to the IT Licensing & Compliance Manager, the GRC Analyst’s will assess third-party suppliers, particularly those processing or storing personal identifiable information (PII), reviews how PII is used within M&B, ensures data minimisation principles are applied, challenges unnecessary processing, and associated risks and recommended actions.
Here at Mitchells & Butlers, we own and run more than 1,600 pubs, bars and restaurants including the stylish All Bar One brand, legendary Miller & Carter steakhouses, and the iconic Toby Carvery, alongside our Mediterranean Brands Ego & Pesto. We are Mitchells & Butlers, and we set the industry standard within hospitality.
You will be well rewarded: -
• Working 35 hours per week, Monday to Friday, with flexibility around your personal commitments.
• 33% off at all our brands, including our hotels. Whether it’s date night at Miller & Carter or a family roast at Toby Carvery, we’ve got you covered.
• A pension that pays, where we’ll more than match your contributions (x1.5 of your contributions, up to a maximum of 5% of your salary).
• Private healthcare, dental plan, cycle-to-work, and keep-fit schemes.
• 26 days annual leave plus bank holidays.
The Opportunity – GRC Analyst
Third Party Risk Management
• Conduct and coordinate security and privacy risk assessments for new and existing suppliers.
• Evaluate supplier controls relating to data protection, information security, data hosting, and subcontractor usage.
• Catalogue and maintain records of M&B data shared with third parties, including purpose of use, information security classification, data sensitivity, and processing location.
• Ensure third-party data handling arrangements define and document data retention, archiving, and deletion requirements, in line with M&B policies and regulatory obligations.
• Perform data cataloguing activities directly, or coordinate with teams across BC&T to ensure responsibilities for data ownership and maintenance are clearly assigned.
• Support Vendor Management, Procurement, Legal, and Information Security in embedding supplier assurance throughout onboarding, renewal, and contract processes.
• Maintain risk documentation for third-party assurance activities and follow up on remediation actions.
• Track agreed remediation actions with suppliers and internal teams.
• Work with Vendor Management, Procurement, Legal, Information Security, and IT to ensure supplier risks are identified early and addressed before onboarding.
• Escalate high-risk findings to the IT Licensing & Compliance Manager and relevant stakeholders.
Data Protection & GDPR Compliance (Support Function)
• Review how personal data is used across M&B systems, processes, and vendor solutions.
• Maintain visibility of third-party personal data usage, ensuring data classification, sensitivity, and lifecycle controls are clearly documented.
• Ensure data minimisation by identifying where unnecessary PII is collected or retained, and challenge business teams or vendors to reduce processing.
• Document identified PII risks, gaps, and recommended actions in line with M&B risk management processes.
• Identify opportunities to reduce or eliminate PII processing where not essential to business needs.
• Support business functions by providing technical context, risk findings, and assessments related to personal data processing.
Governance, Risk & Compliance
• Support the review, development, and rollout of information security and data protection policies.
• Contribute to the management of Information Security risk registers and compliance monitoring processes.
• Support the IT Licensing & Compliance Manager by producing regular compliance reports, dashboards, and metrics for management and senior stakeholders.
• Assist with internal and external audits (GDPR assurance, PCI DSS, Financial).
• Support control reviews and policy adoption across the organisation.
• Maintain compliance tracking, including third-party risks, data lifecycle controls, and PII-related risks.
Security & Privacy Operations Support
• Track remediation of identified compliance issues and work with teams to ensure timely closure.
• Support incident response activities, particularly where third-party data access or personal data processing is involved.
• Review and document business and supplier processes to support governance, risk, and compliance activities.
• Provide clear, auditable documentation for assessments, risks, data handling decisions, and approvals.
What you’ll need to bring to the GRC Analyst role: -
• Understanding of GDPR, UK Data Protection Act, and privacy/security control requirements.
• Experience conducting supplier assurance or security due diligence reviews.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Strong written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience in large hospitality, or multi-site environments.
• Experience contributing to incident or breach investigations.
• The ability to think laterally and constructively question established process.
• Able to manage multiple concurrent or competing demands.
• Confident and able to say no where appropriate.
• Positively works with stakeholders to find reasonable and pragmatic solutions to issues.
Qualifications
• Minimum of 3 years of experience in GRC, information security, data protection, supplier assurance, or a related compliance role.
• CIPP/E, CIPM, CompTIA Security+, BCS Practitioner Certificate in Data Protection desirable.
What makes Mitchells & Butlers a great place to work?
To us, a career isn’t just about ‘clocking in’. We really care about our colleagues, and we’re an employer that keeps a promise. In fact, as one of the largest employers in the country, with over 44,000 people working for us, we have the responsibility of valuing every contribution from a diverse workforce that are representative of our guests, and who make us stronger.
At M&B we value the unique perspectives each person brings. We believe that by fostering a culture of inclusion, respect, and allyship, we create a sense of belonging, engagement and teamwork which are essential to delivering great guest experiences. Join us and be a part of a great team
Closing Date - 11.59pm Wednesday 4th March 2026
