This chapter will critically assess whether the GDPR can tackle the data protection issues in the IoT. After an introduction to the GDPR, which will be framed as a ‘data control’ law, Chapter 5 will present the main data protection issues in the IoT. It will then focus on one of them that is usually overlooked: ‘digital dispossession.’ This refers to IoT companies’ (ab)use of intellectual property rights (especially trade secrets) to appropriate citizens’ data and prevent them from exercising their data subject rights, including the right of access. Digital dispossession is part of a wider phenomenon whereby the new data economy relies on the commercialisation of data. This is leading to the privatisation of ownership of both the IoT’s infrastructure and data. Digital dispossession will be analysed as a tenet of the theory of surveillance capitalism. To understand what practically happens to IoT users’ data, the chapter will move on to analyse Alexa’s data practices by means of a subject access request, interactions with Amazon’s customer support staff, and text analysis of the relevant privacy policy. Finally, it will consider whether the GDPR is fit for the IoT. To carry out this fitness check, the chapter will explore whether the rights to access, to portability, to be informed, and not to be subject to solely automated decisions can be successfully invoked to counter IoT companies’ digital dispossession practices, or whether by contrast trade secrets may give these companies a weapon to nullify the GDPR rights.