The IoT is innovative and important phenomenon prone to several services and applications such as the blockchain, but it should consider the legal issues related to the data protection law. We should be taken into account the legal issues related to the data protection and privacy law. Technological solutions are welcome, but it is necessary, before developing applications, to consider the risks which we cannot dismiss. Personal data is a value. It is important to evaluate the European Regulation n. 679/2016, European General Data Protection Regulation (GDPR) that will enter into force on 25 May 2018. The GDPR introduces Data Protection by Design and by Default, Data Protection Impact Assessment (DPIA), data breach notification and significant administrative fines in respect of infringements of the Regulation. It is fundamental to evaluate the legal issues and prevent them, adopting in each project the Data Protection by Design approach. Regarding the data protection and security risks, there are some issues with potential consequences for data and liability. A correct law analysis allows evaluating risks preventing the wrong use of personal data. The contribution describes the main legal issues related to privacy and data protection focusing on the Privacy by Design approach, according to the GDPR.