In recent years, the application of information technologies have become one of the key factor for companies to make business successfully and competitively. However, with the evolution of the times, all of the information security events resulting from the use of information technologies occurred one after another. The events of SONY Japan in 2011 and Mega Financial Holding Taiwan in 2012, for example, due to the information security accidents of website hacked and the careless supervision for hard disk drive destruction process, respectively, resulted in a lot of personal information leakage, and was fined by Taiwan's judicial authorities and FSC. In Taiwan, Personal Information Protection Act was implemented formally in 2102, the protected subject and object was expanded, all of today's natural and various forms of information are protected and regulated by the new law. In the new law, the penalty is also enhanced and strictly requires that some rules must be followed during the process of collecting, processing, and using, and the implementation of this low should results in different levels of impact to those organizations who own personal information. Therefore, it is expected to build up a risk assessment mechanism in this research to help enterprises effectively identify those possible risks generated during the process (collection, processing, and using) of personal information. In this research, Gowin's Vee research strategy is adapted. In theoretical side, the literature collecting and studying are based on the approach of Grounded Theory to identify the possible risk (factors), and build up the risk assessment mechanism (discussed in this research) by the 64 risk factors classification framework which is generated from the 11 control areas of ISO 27001. Then, make sure the risk factors discussed in this research are suitable through the mechanism modification by expert questionnaires distribution. In the methodological side, through interviewing individual case to realize the impact to the implementation of the Personal Information Protection Act in the industry, and take further feasibility evaluation. Based on the results of this research, it is expected that an effective and quick method is developed to assist enterprises to identify possible risks and the importance of those risks in processing personal information, such that, the enterprises will not ignore those possible risks, on the same time, will not misjudge the importance of those risks either, therefore, reduce the chance of risk and possibility of illegal issues or personal information leakage generated by enterprise.