The Information Commissioner’s Office (ICO) has launched a consultation on draft guidance on distributed ledger technologies. 

Describing distributed ledger technology (DLT) as “a type of digital system that allows simultaneous access, validation, and record-keeping across a distributed database maintained by multiple users”, much of the guidance is dedicated to the most well-known and widely used form of the technology: blockchain. The draft guidance goes into considerable detail about how blockchain works, before setting out its implications for data protection law.  

Unsurprisingly, the ICO makes clear that if personal information is on or accessible via a blockchain, and the controller or processor is either located in the UK or offering goods or services to, or monitoring the behaviour of, people in the UK, UK data protection law applies. This immediately invites the question of who is the controller or processor in a blockchain, something that the ICO acknowledges is not straightforward, particularly in the context of permissionless blockchains. Nonetheless, the draft guidance suggests that participants who create transactions containing personal information and send them for validation are likely to be controllers, whereas those who merely operate validator nodes will likely be processors.  

The draft guidance acknowledges some of the other unique challenges that are posed by the technology. For example, the immutability of something like blockchain raises questions about how to comply with the rights of erasure and rectification, just as the persistent progression of a ledger makes compliance with the principles of purpose limitation, data minimisation, and storage limitation more challenging.  

Despite these challenges, the ICO provides advice on how organisations employing DLT can comply with their obligations under UK data protection law by taking a ‘data protection by design approach’. However, the draft guidance also makes the point that part of this process is to ask at the outset if a technology like blockchain is needed within the organisation, if there are other solutions that can achieve the desired purposes but which pose fewer challenges for data protection compliance.  

The consultation on the draft guidance closes on 7 November 2025, and can be read in full here.