The use of mobile phone data (MPD) for official statistical purpose is increasing. MPD are very useful for statistics related to population, migration, mobility. For instance, in developing countries, MPD can provide update estimates of population density, in the absence of other sources. In developed countries, often population registers are available, however, MPD provide more timely and detailed information, describing habits and behaviors that are not reported in the registers but they are also important for policy-making etc., e.g. human mobility, population density at a given time-space. Moreover, MPD can be used as auxiliary information for topics like poverty, SDG indicators. Finally, MPD allow evaluating the coverage of the population registers. However, the utility of MDP should be balanced by the risk for privacy violation of personal data. In fact, even if MPD are provided without direct identifiers (e.g. name, surname, date of birth, address, personal tax code) we cannot state they are anonymous. Several works claimed that it is possible to isolate a subject in a MPD database or link the MPD to subjects in different databases, or deduce, with significant probability, a characteristic of a subject from the MPD. So, MPD should be considered as personal data according to the GDPR, with an evaluation of the risk of re-identifying a person, even if personal data has been de-identified, encrypted or pseudonymised. Hence, to allow using MPD in a privacy preserving framework, a data protection impact assessment should be evaluated. This means to describe the planned processing operations, to assess the risks to privacy, to plan the measures to address those risks. In this work, we investigate the risk of privacy and provide statistical measures. In cooperation with a mobile phone provider, we apply our investigation to real data. We focalize on the usage of MPD in an NSI and on the privacy attacks and privacy risks that are likely to occur even when MPD are provided without identifiers. In particular, we devote our attention to the case in which the external knowledge comes from statistical population registers and employees-employers databases, and these can be compared to the MPD in order to identify single user. Hence, we consider privacy attacks, defined as “Home and Work Attack” where an intruder knows the two most frequent locations of an individual and their frequencies. We provide measures for the privacy risk, that are the first step in oder to prepare actions for usages of MPD in official statistics in a privacy-protected environment. Risk assessment is one of the fundamental elements to define the processing of data and the integration with security policies and privacy protection: this is the newness of the principle of privacy by design.