But does GDPR apply to data on a blockchain?

The user herself encrypts her data and uploads it to her ‘enclave’ on the chain. For your company, or any company, to be able to read that data, she would have to decrypt the data and make it available to you. At no time are you as a company responsible for that data. Your have just made the dapps / websites for helping her to store the data on the blockchain, as the terminal functions are pretty hard.

In today’s world, if I tell my users to write down something on a note and hide it in their home, I’m not responsible for GDPR for that data. I would guess the same is true for public blockchains