Incident Management

PROCESS APPLIES TO

Follow this process when a privacy or security incident occurs.

Information Security Incident: An event that affects P&G information and/or systems and violates the law and/or Company policy/standards. These events may transpire within P&G systems or properties or within its designated third party vendor systems or properties that manage P&G data and/or systems (e.g., the P&G shareholder database). An Information Security Incident has or could compromise the confidentiality, integrity and/or availability of P&G information or operations and may be caused by P&G personnel and/or third party actors through intentional or unintentional means.

Privacy Incident: a type of Information Security Incident caused by any actual or probable unauthorized access to Personally Data, such as:

• Internal exposure of Personal Data to the wrong individuals.
• External exposure of Personal Data to the wrong individuals or to the public.
• Data corruption that merges individuals’ Personal Data.
• Loss of hardware — computers, thumb drives, CDs, etc.
• Unauthorized access to Personal Data - hacking/theft/abuse.

WHAT TO DO WHEN YOU BECOME AWARE OF AN INFORMATION SECURITY OR PRIVACY INCIDENT

Immediately inform the P&G incident experts by emailing incident details to securityincident.im@pg.com . Include the following information, if available:

• Cause of incident or potential disclosure and if the cause has been contained or remediated
• Types of data involved (e.g., names, credit card numbers, government IDs, sensitive business information)
• Location of impacted people and number of data records (if personal data involved)
• Potential impact to Company systems and data

INCIDENT MANAGEMENT PROCESS

After you inform securityincident.im@pg.com, a team of Company experts will investigate and respond to the potential incident.