We have an exciting opportunity for a GRC Analysts – Data Protection & GDPR Compliance to join our award‑winning Business Change and Technology (BC&T) team on a 12‑month Fixed Term Contract. You will be based in Birmingham City Centre, working in a hybrid role.

Reporting to the IT Licensing & Compliance Manager, these roles support Mitchells & Butlers’ governance, risk, and compliance (GRC) activities, with a strong focus on information security, privacy, and regulatory assurance across the organisation.

Here at Mitchells & Butlers, we own and run more than 1,600 pubs, bars and restaurants including the stylish All Bar One brand, legendary Miller & Carter steakhouses, and the iconic Toby Carvery, alongside our Mediterranean brands Ego and Pesto. We set the industry standard within hospitality.

GRC Analyst (Data Protection and GDPR Compliance)

This specialism focuses on data protection assurance and GDPR compliance, ensuring personal data is processed lawfully, proportionately, and in line with regulatory and organisational requirements.

You will be well rewarded

• 35 hours per week, Monday to Friday, with flexibility around personal commitments.
• 33% discount across all M&B brands and hotels.
• A pension that pays, with contributions matched at 1.5x, up to 5%.
• Private healthcare, dental plan, cycle‑to‑work, and keep‑fit schemes.
• 26 days annual leave plus bank holidays.

Key responsibilities include:

• Reviewing how personal data is used across M&B systems, business processes, and technology solutions.
• Assessing and documenting PII risks, gaps, and recommended actions in line with GDPR, the UK Data Protection Act, and M&B risk management processes.
• Ensuring data minimisation principles are applied by identifying unnecessary collection, processing, or retention of personal data.
• Constructively challenging business teams where personal data processing is excessive or insufficiently justified.
• Identifying opportunities to reduce, anonymise, or eliminate personal data processing where it is not essential to business needs.
• Maintaining visibility of personal data usage, including data classification, sensitivity, and lifecycle controls.
• Providing clear, pragmatic risk assessments and guidance to business stakeholders on personal data processing.

Governance, Risk & Compliance

• Support the review, development, and rollout of information security and data protection policies.
• Contribute to the management of information security, third‑party, and privacy risk registers.
• Produce compliance reports, dashboards, and metrics for management and senior stakeholders.
• Assist with internal and external audits, including GDPR assurance, PCI DSS, and financial audits.
• Support control reviews, evidence gathering, and policy adoption across the organisation.
• Maintain clear, accurate, and auditable compliance documentation.

Security & Privacy Operations

• Track remediation of identified security, privacy, and compliance issues to ensure timely closure.
• Support incident and breach response activities, including investigation, documentation, and follow‑up actions.
• Review and document business, data, and supplier processes to support governance, risk, and compliance activities.
• Provide clear, auditable documentation to evidence risk decisions, approvals, and outcomes.

What you’ll need to bring

• Strong understanding of GDPR, the UK Data Protection Act, and privacy and security control requirements.
• Experience working in GRC, information security, data protection, supplier assurance, or a related compliance role.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Confident written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience contributing to incident or breach investigations.
• Ability to manage multiple competing priorities and constructively challenge established processes.

Qualifications

• Minimum 3 years’ experience in a relevant role.
• CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection desirable.

What makes Mitchells & Butlers a great place to work?

At M&B, a career isn’t just about clocking in. We care about our people and value every contribution from a diverse workforce that reflects our guests and communities. By fostering a culture of inclusion, respect, and collaboration, we create an environment where colleagues can thrive and deliver great guest experiences.

At M&B we value the unique perspectives each person brings. We believe that by fostering a culture of inclusion, respect, and allyship, we create a sense of belonging, engagement and teamwork which are essential to delivering great guest experiences. Join us and be a part of a great team.

Closing Date - 11.59pm on Friday 27th March 2026