A privacy risk (definition: PIA methodology www.cnil.fr) is a hypothetical scenario that describes:
how risk sources
could exploit the vulnerabilities in personal data supporting assets
in a context of threats
and allow feared events to occur (e.g. illegitimate access to personal data)
on personal data
thus generating impacts on the privacy of data subjects (e.g. unwanted solicitations, feelings of invasion of privacy, etc.).
Risk assessment is a continuous improvement process. It requires several iterations to achieve an acceptable privacy protection system. It also requires a monitoring of changes over time (in context, controls, risks, etc.), for example, every year, and updates whenever a significant change occurs.
The legislation only makes it mandatory for a number of cases, however, it's easier to tackle the legislation if you carry out a risk assessment for all of your data assets.