The UK Information Commissioner’s Office (ICO) has followed the European Data Protection Board (EDPB) in issuing draft guidance on Distributed Ledger Technologies (DLTs), with finalised guidance expected in the winter of 2025/26. The ICO’s guidance is more high-level than the EDPB equivalent (see our previous blog and client briefing on the EDPB approach), but the ICO seeks to be more practical by including examples to illustrate key principles.
DLT and data privacy tensions
The draft guidance explains DLTs, including blockchain, from a technical perspective, and outlines several key UK General Data Protection Regulation (GDPR) compliance challenges, all which have been well rehearsed over the last few years, including in our 2019 publication. These are also the same challenges identified by the EDPB and include uncertainty around controller and processor roles due to decentralisation, as well as difficulties in keeping personal data off-chain when identifiers such as wallet addresses can be linked to individuals. Further related challenges arise in fulfilling data subject rights like erasure and rectification, reconciling blockchain with GDPR principles such as minimisation and accuracy, and managing cross-border transfers where nodes operate across multiple jurisdictions.
Although both the EDPB and the ICO highlight similar tensions, the ICO, unlike the EDPB, clearly acknowledges that organisations “may struggle to demonstrate compliance with data protection law when processing personal information on a permissionless blockchain,” with respect to international data transfer rules and data subject access requests.
Anonymisation
The EDPB’s guidance did not consider whether encryption or hashing can, in certain circumstances, effectively achieve anonymisation or deletion. Nor did it tackle the question of whether information could be considered personal data for one party (e.g., someone with the relevant key) but not for another (e.g., a node operator without access to that key). However, in the recent judgment by the EU Court of Justice in the Single Resolution Board case, the court agreed with the Attorney General’s opinion (see our previous blog) that pseudonymised data may qualify as personal data for one person but not for another, where the pseudonymisation measures are sufficient to prevent that other person from identifying the data subject. This approach aligns with the ICO’s anonymisation guidance (see our previous blog), which adopts a relative view of personal data, emphasising a “whose hands” perspective.
The draft ICO guidance on DLT applies this approach in considering how controllers could use differential privacy techniques involving the addition of random noise to data to effectively anonymise that data in the hands of others. The output of such differential privacy techniques may not constitute personal information in the hands of other participants. The draft guidance does not however address how this applies to hashing or encryption in blockchain, where more specific guidance would be useful.
Right to rectification
The draft ICO guidance suggests that, in the context of on-chain data, controllers should consider whether they can use a later transaction to ‘cancel’ an earlier one for rectification purposes, and whether they can put information beyond use to comply with erasure requests. It does not however deal with the question of whether the right to rectification may in some cases require erasure of the erroneous data. We highlighted in our 2019 publication and our recent client briefing on the EDPB guidance that it is unclear whether appending a subsequent correction will always be sufficient to achieve rectification.
Other recommendations
The other recommendations in the draft guidance are not surprising, and include to:
- Assess the necessity of using blockchain or if there are other options that would pose fewer data privacy challenges, such as a traditional database.
- Prepare a DPIA, with the ICO suggesting this is mandatory in almost all cases.
- Minimise on-chain personal data, for example, by storing a hash on-chain or using cryptographic commitments.
- Design mechanisms to enable data subject rights of access, rectification and erasure.
- Manage cross-border risks through applying safeguards where nodes sit outside the UK.
- Use privacy enhancing technologies, such as:
- zero-knowledge proofs, which can allow someone to verify information without knowing the underlying data,
- homomorphic encryption, (which can allow calculations to be performed on encrypted data without decrypting it, and
- differential privacy, (which involves injection of random noise to reduce the information conveyed by certain data).
So, where does this leave organisations?
Unfortunately, this guidance, like that of the EDPB, doesn’t provide solutions to all of the privacy challenges with DLT, hence one of the ICO recommendations being to keep personal data off the blockchain. This may be inevitable given the tensions between the block chain being decentralised and immutable, and many of the GDPR principles. So, if the guidance is finalised in largely this form, it’s greatest use is likely to be in confirming the challenges rather than in providing a way forward.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-17-08-43-02-827-68ca7496e2196ba89bc73117.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-11-19-14-11-245-68c31f832b4d83f98422cb20.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-08-18-33-47-562-68bf218b7356a10e44373013.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-09-02-11-04-32-082-68b6cf40577e0e7609f03141.jpg)