About this guidance
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Distributed ledger technologies (DLTs), such as blockchain, seek to store, synchronise and maintain digital records across a network of computing centres. Their uses extend from cryptocurrencies and digital identity to the developing world of Web 3.0.
With the potential for increasing adoption, it is important that organisations understand their responsibilities to use personal information responsibly when using DLT.
This guidance gives practical information to potential adopters on how DLTs operate and how data protection law applies to the use of the technology.
Who is it for?
This guidance is aimed at developers and users of DLTs, including but not limited to executives, managers, DPOs and legal counsel involved.
How should we use this guidance?
To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Legislative or legal requirements
- Must refers to legislative requirements or established case law (for the laws that we regulate) that is binding.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.