Information Commissioner’s Office
Key takeaways
ICO guidance on DLT’s
Draft guidance clarifies how UK GDPR applies to distributed ledger technologies like blockchain.
Key focus areas
Roles (controllers/processors), data protection principles, privacy-by-design, and handling data subject rights.
Timeline and action
Final guidance due spring 2026; businesses should start integrating compliance measures now.
The ICO (Information Commissioner’s Office) is the UK’s independent regulator for data protection and privacy. Recently, it closed its consultation on draft guidance for DLTs (Distributed Ledger Technologies), which refers to multiple node data storing systems. They are becoming a frequently used system in supply chain management, identify verification and financial services, and they raise unique challenges for data protection such as how to handle personal data on immutable ledgers.
This consultation ran from 28 August to 7 November 2025 and invited feedback from industry stakeholders on how UK GDPR principles apply to new and emerging technologies. The ICO’s draft guidance aims to clarify:
-
Legal roles and responsibilities in the form of how to identify controllers and processors in distributed environments.
-
Data protection principles in applying minimisation, accuracy and storage limitation when data cannot easily be altered or deleted.
-
Design and governance by encouraging privacy-by-design, impacting assessments and accountability frameworks for DLT projects.
-
Individuals rights, specifically data subject requests in systems designed for permanence.
Final guidance is expected in spring 2026, allowing organisations adequate time to prepare for the outcome. For businesses who explore blockchains or other DLT solutions, the ICO’s draft guidance makes it clear that compliance cannot be an afterthought, and they should start integrating data protection measures now so they’re ready when the final rules take effect.
This article was co-authored by Maddie Rimmer.
