First is important to note that using ISO 27001 is not mandatory for fulfilling GDPR requirements. To perform risk assessment, you can use any approach your organization sees fit for its purpose.
Additionally, ISO 27001 does not prescribe any method to perform risk assessment, only defines requirements to be fulfilled by the adopted risk assessment process.
Considering that, the purpose of GDPR is the protection of personal information from being accessed, modified, or destroyed in an uncontrolled manner, so an example of risk assessment considering the elements you mentioned are:
an unattended computer storing biometric data can be stolen or invaded
an untrained employee can inadvertently delete biometric data
a biometric reader can fail during a data-gathering section
This material will also help you regarding risk management: