There are many ways to perform a risk analysis. In the simplest of these, the analyst is responsible for identifying and assigning a level to each risk, but this method produces a very subjective result. Other risk analysis methods seek to give an accurate estimate that is less dependent on the subjective opinion of the analyst.
Standard ISO/IEC 27005 may be useful in understanding the variety of methods. This standard does not describe a specific method, but reviews the various phases in risk management and presents different ways of implementing these phases. For example, an essential difference between methods may be whether they offer a qualitative or quantitative approach: qualitative methods tend to be less complex and less expensive to carry out and can be good to provide an initial estimate.
In terms of specific methods, there are many: OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), FAIR (Factor Analysis of Information Risk), NIST RMF (National Institute of Standards and Technology's Risk Management Framework), MAGERIT (Methodology for Information Systems Risk Analysis and Management), or this one (link to https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing) proposed by ENISA for SMEs.
In accordance with additional provision 1 of the LOPDGDD, the National Security Framework (ENS) determines the security measures that must be implemented to protect personal data in public sector entities (those listed in Article 77.1 of the LOPDGDD) and other agents who provide processing services. Although the ENS only requires the use of an internationally recognised risk analysis method (without mentioning any specific ones), MAGERIT has been developed with the aim of facilitating the implementation of risk analyses.
Regardless of the methodology used, it should be noted that in the assessment of risks to the rights and freedoms of individuals, an analysis is required from the point of view of the data subjects; that is, it must be borne in mind that a risk that could be assumed from the point of view of an organisation might have a very high impact on a particular individual.