The following document can be used for determining the baseline of the Workshop 1 of EBIOS Risk Manager, when the scope of the study is a processing of personal data:
It constitutes a declaration of applicability relating to the fundamental principles related to the protection of privacy.
The other Workshops of the study makes it possible to satisfy the obligations of the GDPR in terms of security (cf. art. 32) if you assess the impacts on the data subjects in addition to those on the organization.
You can thus use EBIOS Risk Manager to carry out a PIA (cf. art. 35).