DPDP & Blockchain - Case Study 2 She withdrew consent. The nodes remembered anyway. Meera's hospital recorded her consent withdrawal correctly. However, six network nodes already held copies of her medical data — and none of them received a deletion instruction. Under Sections 6(4) and 8(2) of the DPDP Act, 2023, every node in a blockchain network may be a Data Processor. Each one needs a written contract. Each one must act on consent withdrawal. IS Audit 3.0 (ICAI) specifically identifies distributed data exposure as a blockchain risk. Governance must reach every node — not just the originating server. The compliance deadline is 13 May 2027.











