Data privacy and cybersecurity

Our Information Security Policy, data privacy policies, and Information Assets Protection Policy govern our cybersecurity procedures.  

The Company’s Information Security Steering Committee (ISSC) oversees information security and develops and approves related policies. Chaired by our Chief Information Officer and co-chaired by our Global Information Security Director, the ISSC is a cross-functional group that includes our Chief Financial Officer, Chief Administrative Officer, Vice-President, General Counsel and Corporate Secretary, Senior Vice-President, Finance, and other senior leaders from the Company’s Information Technology (IT), Legal Affairs, Physical Security, Risk Management, Internal Audit, and Human Resources departments.

Furthermore, to ensure compliance with applicable privacy laws and regulations, and to monitor and mitigate risks associated with data privacy breaches, the ISSC oversees data privacy through the Data Privacy sub-committee. Led by our Data Privacy Officer, the Data Privacy sub-committee is comprised of a cross-functional group including representatives of the different functions involved with privacy matters across the organization.  

Both committees meet quarterly and on an ad hoc basis and report major developments to the Company’s Compliance Steering Committee, which, in turn, provides quarterly updates to the Board of Director’s Corporate Governance and Social Responsibility Committee. In addition, the Chief Information Officer provides quarterly information security reports to the Board’s Audit and Finance Committee, and a full report on IT and cybersecurity strategies to the Board each year.

We leverage ISO 27001 and the National Institute of Standards and Technology (NIST) framework to efficiently manage information security risks and align our information security policies with industry best practices. We also collaborate with external partners and government agencies to ensure our information systems and management team remain up to date.   

All Gildan administrative and office employees receive mandatory annual online training on information protection and cybersecurity. Training includes guidance on how to protect the Company from cybersecurity threats and report security incidents. We provide ongoing awareness and conduct phishing exercises that cover 100% of our technology-enabled employees several times a year. Certain groups that work with sensitive information (such as our Finance and Human Resources teams) receive additional training. Employees are regularly reminded to report suspicious activity or loss of sensitive information to our IT and Legal departments.

Where appropriate, necessary, and in connection with our business, we collect and use certain confidential and personal information regarding employees, customers, business partners, vendors, and other third parties. Gildan’s data privacy policies outline the requirements for the privacy and protection of personally identifiable information under Gildan’s control and guide our efforts to protect this information. These policies apply to and guide the activities of all Gildan employees, agents, service providers, and consultants involved in the processing of personally identifiable information. We conduct internal audits of compliance with our Data Privacy Policy as part of our rotational audit plan. We also work with third-party auditors to audit our compliance.