Data privacy and cybersecurity

Our Information Security Policy, data privacy policies, and Information Assets Protection Policy govern our cybersecurity procedures.

The Company’s Information Security Committee (ISC) oversees information security and develops and approves related policies. Chaired by our Chief Information Officer and co-chaired by our Global Information Security Director, the ISC is a cross-functional group that includes our Chief Legal and Administrative Officer, Senior Vice-President, Finance, and other senior leaders from the Company’s Information Technology (IT), Legal Affairs, Physical Security, Risk Management, Internal Audit, and Human Resources departments.

To ensure compliance with applicable privacy laws and regulations, monitor and mitigate risks associated with data privacy breaches, and oversee the ethical and responsible use of third-party artificial intelligence (AI) systems and tools across the organization, the ISC oversees data privacy and AI governance through the Data Privacy and AI Governance sub-committee. Led by our Data Privacy Officer, this sub-committee is comprised of a cross-functional group including representatives of the different functions involved with privacy matters across the organization.

Both the ISC and the Data Privacy and AI Governance sub-committee meet quarterly and on an ad hoc basis and report major developments to the Company’s Compliance Steering Committee, which, in turn, provides quarterly updates to the Board of Director’s Corporate Governance and Social Responsibility Committee. In addition, the Chief Information Officer provides quarterly information security reports to the Board’s Audit and Finance Committee, and a full report on IT and cybersecurity strategies to the Board each year.

We leverage ISO 27001 and the National Institute of Standards and Technology (NIST) framework to efficiently manage information security risks and align our information security policies with industry best practices. We also collaborate with external partners and government agencies to ensure our information systems and management team remain up to date.

All Gildan administrative and office employees receive mandatory annual online training on information protection and cybersecurity. Training includes guidance on how to protect the Company from cybersecurity threats and report security incidents. We provide ongoing awareness and conduct phishing exercises that cover 100% of our technology-enabled employees several times a year. Certain groups that work with sensitive information (such as our Finance and Human Resources teams) receive additional training. Employees are regularly reminded to report suspicious activity or loss of sensitive information to our IT and Legal departments.

Where appropriate, necessary, and in connection with our business, we collect and use certain confidential and personal information regarding employees, customers, business partners, vendors, and other third parties. Gildan’s internal privacy policy and our Employee Privacy Handbook outlines the requirements for the privacy and protection of personal information under Gildan’s control and guides our efforts to protect this information. It applies to all Gildan employees and contractors processing personally identifiable information. We conduct internal audits of compliance with our internal privacy policy as part of our risk-based audit plan. We also work with third-party auditors to audit our compliance.

We believe new technologies — including AI — can benefit many aspects of our business. Our internal AI policy helps ensure the safe and ethical use of AI across our operations. Information on our policy is included in our annual information protection and cybersecurity training.