IT

We have an exciting opportunity for a GRC Analyst – Data Protection & GDPR Compliance to join our award‑winning Business Change and Technology (BC&T) team on a 12‑month Fixed Term Contract. You will be based in Birmingham City Centre, working in a hybrid role. Reporting to the IT Licensing & Compliance Manager, these roles support Mitchells & Butlers’ governance, risk, and compliance (GRC) activities, with a strong focus on information security, privacy, and regulatory assurance across the organisation.

This specialism focuses on data protection assurance and GDPR compliance, ensuring personal data is processed lawfully, proportionately, and in line with regulatory and organisational requirements.

Benefits:

• 35 hours per week, Monday to Friday, with flexibility around personal commitments.
• 33% discount across all M&B brands and hotels.
• A pension that pays, with contributions matched at 1.5x, up to 5%.
• Private healthcare, dental plan, cycle‑to‑work, and keep‑fit schemes.
• 26 days annual leave plus bank holidays.
• Competitive salary.

Key responsibilities include:

• Reviewing how personal data is used across M&B systems, business processes, and technology solutions.
• Assessing and documenting PII risks, gaps, and recommended actions in line with GDPR, the UK Data Protection Act, and M&B risk management processes.
• Ensuring data minimisation principles are applied by identifying unnecessary collection, processing, or retention of personal data.
• Constructively challenging business teams where personal data processing is excessive or insufficiently justified.
• Identifying opportunities to reduce, anonymise, or eliminate personal data processing where it is not essential to business needs.
• Maintaining visibility of personal data usage, including data classification, sensitivity, and lifecycle controls.
• Providing clear, pragmatic risk assessments and guidance to business stakeholders on personal data processing.

Governance, Risk & Compliance:

• Support the review, development, and rollout of information security and data protection policies.
• Contribute to the management of information security, third‑party, and privacy risk registers.
• Produce compliance reports, dashboards, and metrics for management and senior stakeholders.
• Assist with internal and external audits, including GDPR assurance, PCI DSS, and financial audits.
• Support control reviews, evidence gathering, and policy adoption across the organisation.
• Maintain clear, accurate, and auditable compliance documentation.

Security & Privacy Operations:

• Track remediation of identified security, privacy, and compliance issues to ensure timely closure.
• Support incident and breach response activities, including investigation, documentation, and follow‑up actions.
• Review and document business, data, and supplier processes to support governance, risk, and compliance activities.
• Provide clear, auditable documentation to evidence risk decisions, approvals, and outcomes.

What you’ll need to bring:

• Strong understanding of GDPR, the UK Data Protection Act, and privacy and security control requirements.
• Experience working in GRC, information security, data protection, supplier assurance, or a related compliance role.
• Ability to interpret and assess technical and organisational controls.
• Strong analytical skills with excellent attention to detail.
• Confident written and verbal communication skills, able to engage across legal, technical, and operational teams.
• Experience contributing to incident or breach investigations.
• Ability to manage multiple competing priorities and constructively challenge established processes.

Qualifications:

• Minimum 3 years' experience in a relevant role.
• CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection desirable.

Closing date Monday 25th May 2026 11:59pm