scope:

This document provides guidelines for organizational privacy risk management. This document provides guidance to organizations for integrating risks related to the processing of PII as part of an organizational privacy risk management program. It distinguishes between the impact to an individual that processing PII may cause with consequences for organizations (e.g. reputational damage), and provides guidance for incorporating the following into the overall organizational risk assessment: - the organizational consequences of adverse privacy impacts on individuals; and - the organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization and supports the requirement for risk management as specified in management systems (such as ISO/IEC 27701). This document is applicable to all types and sizes of organizations, including public and private companies, government entities and non-profit organizations processing PII, or developing products and services that can be used to process PII.