La Agencia Española de Protección de Datos (AEPD) recently published guidance for organisations on how to assess the risks involved in personal data processing operations (42-page / 8.89MB PDF). It also updated existing guidance on conducting data protection impact assessments (DPIAs) (66-page / 9.47MB PDF).
The Spanish authority recommends the registry of processing operations as starting point for the risk assessment and includes a number of templates to carry out the risk assessment procedure, including questions on the type of data processed, and the purpose of the processing. The guide also includes a template to assess the life circle of the personal data from the moment the personal data is collected to the moment the personal data is destroyed