1 Scope
This document provides guidelines for organizational privacy risk management, extended
from ISO 31000:2018.
This document provides guidance to organizations for integrating risks related to
the processing of personally identifiable information (PII) as part of an organizational
privacy risk management programme. It distinguishes between the impact that processing
PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating
the following into the overall organizational risk assessment:
— organizational consequences of adverse privacy impacts on individuals; and
— organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any
adverse privacy impacts to individuals.
This document assists in the implementation of a risk-based privacy program which
can be integrated in the overall risk management of the organization.
This document is applicable to all types and sizes of organizations processing PII
or developing products and services that can be used to process PII, including public
and private companies, government entities, and non-profit organizations.