Electronic copy available at: https://ssrn.com/abstract=3130392 GDPR and the Internet of Things: Guidelines to Protect Users’ Identity and Privacy Sandra Wachter 1, 2 1 Oxford Internet Institute, University of Oxford, 1 St Giles, Oxford, OX1 3JS, United Kingdom; 2 The Alan Turing Institute, British Library, 96 Euston Rd, London, NW1 2DB, United Kingdom Corresponding author: Dr. Sandra Wachter Oxford Internet Institute University of Oxford 1 St. Giles Oxford, OX1 3JS United Kingdom sandra.wachter@oii.ox.ac.uk +44(0)7478340679 Funding This article is a deliverable of the Privacy-Enhancing and Identification-Enabling Solutions for IoT (PEIESI) project, part of the PETRAS Internet of Things research hub. PETRAS is funded by the Engineering and Physical Sciences Research Council (EPSRC), grant agreement no. EP/N023013/1. Conflicts of interest The author declares no actual or potential conflicts of interests. No financial interests or benefits have arisen from the direct application of this research. Acknowledgements The author is indebted to Dr. Mariarosaria Taddeo and Dr. Brent Mittelstadt of the University of Oxford, and the ‘Ethics, Privacy, and Trust in IoT’ workshop participants who provided invaluable feedback during preparation of the manuscript and improved the quality of the work greatly. The author would also like to thank the EPSRC for the funding provided to the PETRAS consortium which made preparation of this article possible.