Risk assessment for GenAI begins with comprehensive data flow mapping, tracing inputs, processing, and outputs to pinpoint privacy vulnerabilities like unintended data leakage. This step reveals how personal information is handled, enabling classification of risks under frameworks like GDPR or ISO 27701. It facilitates the identification of controls such as anonymization or consent mechanisms. In GenAI, where models infer from vast data, this prevents re-identification attacks. Exact extract: "A primary step in GenAI data privacy risk assessment is conducting data flow mapping to identify and mitigate privacy risks." (Reference: Cyber Security for AI by SISA Study Guide, Section on Privacy Risk Models, Page 235-238).