Privacy & Cybersecurity Law Blog

On August 28, 2025, the UK Information Commissioner’s Office (“ICO”) initiated a public consultation on draft guidance on Distributed Ledger Technologies (“DLTs”), with a focus on blockchain (the “Guidance”). The Guidance aims to assist organizations with their understanding of DLTs, in particular blockchain, and how data protection law may apply in different scenarios and transactions.

The Guidance is divided into different sections, highlighting several issues that organizations should consider, such as:

• Personal data: In blockchain, online identifiers such as smart contract addresses, wallet addresses, and unique transaction identifiers may be considered personal data under the UK General Data Protection Regulation (“UK GDPR”). In making this assessment, the ICO recommends considering whether the identifier could be combined with other data to identify an individual.
• International transfers: The UK GDPR imposes certain rules on transferring personal data to recipients outside the UK. Organizations must assess the level of data protection in countries where they transfer personal data and ensure compliance with UK GDPR when sharing data with blockchain nodes situated outside the UK. This requires careful verification and vetting of non-UK parties involved in the blockchain.
• Controllers and processors: Participants in a blockchain may be considered controllers or processors depending on their role in determining the purposes and means of data processing. For example, participants who create transactions containing personal data and send them for validation may be considered controllers, whereas participants operating validator nodes may be considered processors if they only validate transactions. Participants should assess whether they are acting as a controller, joint controller or processor and ensure they adhere to the relevant data protection obligations.
• Rights to rectification and erasure: Blockchain's nature can make it challenging to comply with individual rights such as rectification and erasure. Organizations should consider off-chain storage solutions to facilitate data correction and deletion requests.
• Compliance with data protection principles: Blockchain's decentralized nature poses challenges for complying with principles like purpose limitation, data minimization, and storage limitation. Organizations must consider these principles in the design phase and use solutions like off-chain storage or data purges.
• Data protection by design: Organizations are reminded to integrate technical and organizational measures to safeguard individuals’ rights throughout the design and implementation of blockchain products, ensuring compliance with data protection obligations from the outset.

The consultation on the draft Guidance will close on November 7, 2025 (see consultation here).