Why a DPO Needs to Understand Blockchain
I’m Fred, founder of DPO2U. In recent months, I’ve been publicly building an on-chain compliance ecosystem, and I’ve encountered a problem that few admit exists: the technology that promises perfect auditability can violate the very law it’s supposed to protect.
This conflict has a name in academic literature. De Filippi and Wright, in Blockchain and the Law (2018), already warned that immutability would create direct tensions with the right to data deletion. In my Zettelkasten, I registered this as the Paradox of Immutability (ZK-20260125-013): the virtue of blockchain for integrity is its vice when personal data needs to be deleted.
This article is Day 1 of 30 in the “The Privacy Paradox” campaign. My goal: to explain, without unnecessary jargon, what you need to know about blockchain to make informed decisions. Not to become a programmer, but to avoid being deceived by those who sell magical solutions.
The Promise: Why Blockchain Matters for Compliance
Imagine your company needs to prove it obtained consent from a data subject on a specific date. Today, this proof is usually in an internal database controlled by the company itself. If there is litigation, the other party might question: “who guarantees that this record hasn’t been altered?”
In the DPO2U Whitepaper, I documented the vulnerabilities of the current system: privacy policies in editable PDFs without a trace, consent records in deletable spreadsheets, DPIAs with manual versioning. Which version is valid?
With blockchain, the consent record would be in an immutable ledger verifiable by third parties. No one would need to trust the company’s word. Think about the applications:
Consent record with an inviolable timestamp, an audit trail that no system administrator can tamper with, proof of compliance verifiable by regulators without depending on the company’s good faith.
It’s like replacing that Excel file that “proves” compliance with a digital notary record that no one controls alone.
Public vs. Private Blockchain: The Distinction That Matters
Not all blockchains work the same way, and this distinction is crucial for compliance.
A public blockchain functions like a mural in a public square. Anyone can read all the records. Bitcoin and Ethereum are examples. In them, recording a CPF (Brazilian tax identification number) or email address would be like writing personal data on a billboard, visible forever to everyone.
A private (or permissioned) blockchain functions more like the internal system of a consortium of companies. Only authorized participants can read and write. There is more control, but less decentralization.
For compliance professionals, the key question facing any blockchain solution is: who can read what is recorded? If the answer is “anyone on the internet,” Article 46 of the LGPD (Brazilian General Data Protection Law), which requires technical measures to protect personal data, is at risk.
Five Questions Every DPO Should Ask Before Accepting a Blockchain Solution
Is personal data on-chain or off-chain? If the answer is on-chain, immediately question compliance with Articles 16 and 18 of the LGPD (Brazilian General Data Protection Law).
Is the blockchain public or permissioned? This defines who has access to the records and directly impacts Article 46 (security measures).
Is there a deletion or anonymization mechanism? Immutable blockchain + personal data = regulatory risk. Ask how the provider intends to handle deletion requests.
Who is the data controller? In decentralized networks, the chain of responsibility foreseen in Article 5 of the LGPD becomes unclear. Someone needs to be responsible for compliance.
What is the legal basis for processing? Article 7 of the LGPD requires a legal basis for any processing. “It’s on the blockchain” is not a legal basis.
Day 1 of 30 — “The Privacy Paradox” Campaign. References: De Filippi, P., & Wright, A. (2018). Blockchain and the Law. Harvard University Press. | LGPD, Law 13.709/2018. Next: Immutability vs. Right to be Forgotten
Top comments (0)