How to assess privacy risks?