Art. 33 of the current proposal for a new European Data Protection Regulation obliges controllers of personal data processing systems to perform a “data protection impact assessment”. This means that “risks to the rights and freedoms of data subjects” will have to be proactively assessed. This idea of assessing risks to rights is novel in data protection, and deserves particular attention. It epitomises the shift from classical legal practice to more risk-based approaches. Traditionally, rights and risks belong to the different spheres of knowledge and social organisation of courts and organisational risk management. Coupling them in the proposed fashion could change their respective meanings into something hardly predictable. This application proposes to explore the nature of the relation between both concepts within the assessment of a “risk to a right”. This will occur by mapping the various relations that exist between risks and rights in different sectors, by deepening the legal insights in these relations, and the application of the resulting map to a case study on smart grids technology. This should serve to identify gaps in the way DPIAs are currently operationalized, which can in turn provide opportunities for improvement and for lessons from other practices and expertises that strike different relations between risks and rights. In this way this research aims to contribute to more socially robust assessments of the risks to the rights of privacy and data protection.