As numerous devices are joining the Internet, we will soon face a foggy and cloudy world of interconnected smart devices. Cloud systems already started to dominate the Internet and with the appearance of things of the Internet of Things (IoT) paradigm, IoT Cloud systems are formed. In these systems personal data is increasingly being transferred possibly across borders and stored on servers in multiple countries, which requires strong principles for protecting individuals' data, aimed at easing the flow of personal data across borders while still ensuring a high and consistent level of protection without loopholes or unnecessary complexity. The European Commission has started to modernize its legal system for the protection of personal data to respond to the use of these new technologies: to strengthen users' influence on their personal data and to reduce administrative formalities, and to improve the clarity and coherence of the EU rules for personal data protection. To achieve these goals, the Commission created a new legislative proposal, called General Data Protection Regulation (GDPR). It introduces the Data Protection by Design principle that aims to reduce possible privacy harms of Fog environments. In this paper we analyze the latest restrictions introduced by the GDPR, and discuss how these legal constraints affect the design and operation of IoT applications in the Fog.