How do you apply data protection by design to blockchain?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- Do we need a blockchain?
- What measures do we need when using blockchain?
- How do we demonstrate compliance with data protection obligations when we use blockchain?
- How should we mitigate data protection compliance risks?
Data protection law says you must put in place appropriate technical and organisational measures to safeguard individual rights and implement the data protection principles effectively.
This requirement to ‘bake in’ data protection considerations from the planning stage right through the lifecycle of the personal information you use is known as data protection by design and default.
Do we need a blockchain?
If you’re a controller planning to use blockchain to process personal information, start by asking yourself: is blockchain the right tool for this purpose? This is particularly the case if there are other, pre-existing solutions that you can use to achieve your purpose, especially where they pose fewer challenges for data protection compliance.
One way to assess this is to consider whether the particular features of your chosen blockchain are necessary requirements for you to achieve your intended outcome.
For example, you may have a choice between a traditional database or a blockchain. In these circumstances, you should ask yourself things like:
- Do you want everyone with access to the blockchain to see the on-chain data?
- Do you want to verify everything recorded on it?
- Do you want every participant to verify the records on the ledger?
Blockchain’s feature of public verifiability means that anyone can verify what is recorded on the ledger and have a consistent view of it. But this also means that all the recorded logs and other on-chain information is visible to all participants at all times.
In a traditional database solution, access to the information is more controlled. You can effectively implement controls to ensure that different users only have access to the information they need for their tasks. While this does mean users won’t all see the same thing or have access to everything by default, this may be more appropriate from a data protection by design perspective.
In general, using a blockchain in place of a centralised database could be an appropriate choice, if:
- you need to store the state of the records after each insertion;
- there are multiple participants who will write to the ledger;
- all the participants need to have a consistent view of the ledger; and
- the participants writing to the ledger do not trust each other.
Other resources
What measures do we need when using blockchain?
Assuming you have identified that a blockchain is an appropriate way of delivering your product or service, you will then need to decide on the blockchain platform you require. This may require you to gather insights and to obtain expertise beyond the scope of this guidance. Once you identify a blockchain platform, you must then carefully evaluate your role on this platform and that of any ecosystem players involved.
You may be playing different roles when using a blockchain, such as:
- deciding to design and implement a blockchain solution that processes personal information;
- determining that blockchain is the way to achieve its purpose but buying the solution or service from elsewhere;
- intending to join a pre-existing solution as a participant;
- acting as a blockchain-as-a-service provider; or
- designing solutions as a blockchain or protocol developer.
In each of the above scenarios, you must establish your responsibility as a controller or processor (or joint controller or processor) and demonstrate your compliance.
The legal requirement to protect personal information applies in the same way for blockchain as it does to the use of other technologies.
However, blockchain is an innovative technology that continues to develop. Some of the risks it poses to people’s data protection rights may be challenging for you to mitigate.
Remember, you must identify and mitigate the risks your processing poses to people.
How do we demonstrate compliance with data protection obligations when we use blockchain?
When you use a blockchain, you must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.
Some of the initial practical steps that you must take towards that include:
- establishing the participating parties;
- defining their nature and role; and
- defining their accountability responsibilities.
Ways you can demonstrate compliance include:
- Carrying out a data protection impact assessment (DPIA) prior to any use of blockchain technology. Remember, you must do a DPIA where your processing is likely to result in a high risk to people’s rights and freedoms. In most cases, this means you must carry out a DPIA for your use of blockchain. However, even if this isn’t the case, you should consider a DPIA, as it is a useful tool for you to assess your planned use of personal information and any risks posed to people.
- Clearly identifying all the blockchain processing activities, the on-chain and off-chain personal information lifecycles, chosen blockchain platform and associated actors and participants. You should document roles and responsibilities and establish a clear governance framework (for example in the DPIA, any controller, processor or joint controller arrangement or in your record of processing activities where appropriate).
- Documenting your decisions and justifications for using blockchain technology, in line with the accountability principle.
- Making sure the blockchain you choose, create or outsource to a blockchain developer is designed in line with the data protection by design and default principles.
- Being transparent about your use of blockchain technologies to process personal information, in particular how people can exercise their data protection rights.
- Identifying and addressing the risks posed to individual rights by your chosen implementation of blockchain.
- Carrying out security audits on elements of your blockchain implementation that process personal information to look for any security loopholes or vulnerabilities, as well as documenting them for auditing purposes.
- Evaluating and planning for any changes to organisational and technical measures that you may require in case of technical incidents or new technological developments. For example, cyber threats, personal data breaches, technological advancements such as advanced encryption schemes, blockchain forks and upgrades and cryptographic primitive upgrades.
- Documenting where that personal information is stored or transferred — especially when it leaves the UK. This may involve ascertaining whether the nodes are located within the UK or otherwise in scope of UK GDPR, ie if they are monitoring the behaviour of UK people.
Further reading – ICO guidance
How should we mitigate data protection compliance risks?
Data protection by design means that you must decide what technical and organisation measures would be appropriate to comply with data protection law and respect people’s rights.
There is no one-size-fits-all solution or approach. As a controller, you should assess the strengths and challenges of any particular measure based on the processing you intend to do, the risks you identify and the mitigations necessary to reduce those risks.
Blockchain involves a range of technologies that are at different levels of development and maturity. If you intend to implement blockchain to achieve particular purposes then, as part of a data protection by design approach, you must:
- take into account the risks these introduce for people’s data protection rights;
- consider the state of the art for each specific technology involved in your planned deployment; and
- identify appropriate technological and organisational measures to mitigate those risks.
As part of this, you should consider which privacy-enhancing technologies (PETs) are available to improve the privacy and security of your processing activities involving blockchain.
In this section, we include some examples of PETs you could use to design a secure and privacy-preserving blockchain solution, depending on your specific circumstances and availability of the technologies.
You should note that different technologies may interplay with each other in different ways and could introduce new risks that you need to mitigate. For example, different PETs may offer different security guarantees. They may also come with particular considerations about usability, scalability and utility.
Zero-Knowledge Proofs (‘ZKPs’)
ZKPs are a set of protocols a participant can use to prove to a verifier that they are in possession of some (usually secret) knowledge. For example, a person can use ZKPs to prove their age without revealing their actual date of birth.
ZKPs could be appropriate in several blockchain use cases, in particular if you need to ensure identity protection, authentication and verifiable computation without revealing personal information.
ZKPs are also useful in the context of decentralised identity systems. They allow users to prove things about themselves (known as ‘attributes’) without revealing the underlying personal information.
ZKPs can help you achieve data protection compliance with:
- the data minimisation principle, as they limit the amount of personal information you collect and process; and
- the security principle, as you do not have to share confidential data such as wallet and balance information with all the participants.
Homomorphic encryption (HE)
HE enables computation of encrypted data without the need to decrypt it first. It allows for the encrypted data to generate the same output as if the same computation was performed on the unencrypted data, while not revealing the underlying plaintext. Both the computation and output are also encrypted. In other words, data does not have to be decrypted before the computations are performed.
HE's main benefit is the way it can help to achieve a balance between data utility alongside security and confidentiality. It can help with data protection compliance principles, like security and confidentiality, by minimising the risk from data exposure.
In the context of blockchain, HE can ensure user privacy by allowing computation of encrypted user data on-chain.
In public permissionless systems any participant can access all the data held on the blockchain. With HE, this data can be stored in encrypted form, be kept accessible only to authorised users and yet also available for use in smart contracts.
Like the transaction data, smart contracts are stored publicly on the ledger, creating the potential for reverse engineering. HE offers the potential of private, encrypted smart contracts that only legitimate users can access, reducing reverse engineering risks and protecting intellectual property.
Differential privacy
Differential privacy is a method for measuring how much information the output of a computation reveals about someone. It involves the randomised injection of “noise”. This is a random alteration of data in a dataset so that values such as direct or indirect identifiers of people are harder to reveal.
You could use differential privacy to add noise to the on-chain data. This can protect details like the sender and recipient wallet addresses.
You can use differential privacy to anonymise data, provided you add an appropriate level of noise. Any original data retained by the controller would be personal information in their hands. This also applies to any additional information that may reidentify. However, the output may not be personal information in the hands of another party.
Further reading – ICO guidance
See our guidance on PETs for more information about: