DPDP 3.3.1 : DPDP and Blockchain – Case Study 1

“The blockchain won’t let me delete your data.” That is not a legal answer under Indian law.

Arjun resigned from his employer and asked them to erase his personal data. His HR team apologised — the data was on their blockchain-based verification system and, they said, could not be deleted.

Under Section 12(3) of the DPDP Act, 2023, every Data Principal has a statutory right to erasure. The Data Fiduciary must comply — unless retention is necessary for a specified purpose or legal obligation. The DPDP Act creates no exception for immutable ledgers.

Furthermore, Section 8(1) places non-derogable liability on the Data Fiduciary. An organisation cannot transfer that liability to its technology architecture.

IS Audit 3.0 by ICAI identifies legal and compliance uncertainty as a primary blockchain risk. Before the DPDP Act, that uncertainty was structural. Today, the law is clear.

The compliance design choices are not complicated — but they must be made at the architecture stage, not after deployment:

→ Store personal data off-chain. Record only a hash on the ledger. Delete the off-chain data on erasure request.
→ Alternatively, encrypt personal data before writing to the chain. On erasure request, delete the encryption key. The block remains — but it is unreadable.
→ For permissioned chains, build node-level governance with erasure-triggering protocols.

Arjun’s employer had an immutable ledger. However, they did not have an erasure plan. Those are two different problems — and only one of them was a technical constraint.

The DPDP Act compliance deadline is 13 May 2027. Blockchain architectures processing personal data today need an erasure design now.

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.


Authors:
This article has been co-authored by CA. Sunil Elayadath and CA. Karthik Narayanan S, Partners of Karthik & Sunil, together with Mr. Dhanesh P. K., Designated Partner, DSK Sustainability Tech.

DPDP 3.3.1 : DPDP and Blockchain – Case Study 1

Leave a Reply