Blockchain and Privacy Protection in Case of The European General Data Protection Regulation (GDPR): A Delphi Study

The present work deals with the interrelationships of blockchain technology and the new European General Data Protection Regulation, that will be intact after May 28th, 2018. The regulation harmonizes personal data protection across the European Union and aims to return the ownership of personal data to the individual. This thesis, therefore, addresses the question how this new technology that is characterized by decentralization, immutability and truly digitized values will be affected by the strict privacy regulation and vice versa. The aim of this work is to clarify whether blockchains can comply with the new regulation on the one hand and to identify how blockchain could support its compliance, on the other hand. The questions are validated through an extensive literature review and are further investigated by using a Delphi study that asks a panel of 25 renowned experts to find opportunities, limitations and general suggestions about both topics. In addition, a framework is proposed to support the assessment of privacy and related risks of blockchains. As a result, it becomes apparent that blockchains can become more privacy friendly and comply with the regulation if an active dialogue between blockchain developers and regulatory authorities helps to strengthen their mutual understanding and work. With the support of this work and the blockchain Privacy Impact Assessment canvas a foundation for the necessary next steps is laid to overcome the challenges of defining a data controller or deleting personal data within a blockchain.

List of Tables   Table  Page  Table 1 Table 3: Well-known cryptographic techniques [87], [88], [84] Table 4: Cutting edge cryptographic solutions [87], [88], [84]     Personal data protection (the US term "privacy" is used interchangeably within the context of this thesis) is becoming more important than ever before. There is an increasing demand of identity and a right to privacy in developing countries, which are implementing compulsory biometric data services [1]. Under the current speed of development for Artificial Intelligence (AI) in combination with centralized service providers like Google and Facebook (it is assumed that well-known companies with such high market and news presence do not need a reference) that currently own the personal data (PD) of their users, the question becomes inevitable to what will happen with that data in the future [2], [3], [4], [5], [6]. Will these individuals be willing to keep trusting their governments and these companies to use the services and algorithms they developed fairly? To bring back trust to a digital world, one proposed solution is blockchain technology (used interchangeably with blockchain and the abbreviation BC) [7], [8]. In short blockchain technology can be described by comparing it to a spreadsheet in the sky, where each person has the latest version of the document, and everyone can inspect it. Users need to reach a mutual consensus to define its content, and instead of one company like Google storing it centrally, every user keeps a copy of the blockchain on their machine [9].
In the blockchain ecosystem, people talk about an evolution and paradigm shift that will influence each fragment of the world currently known [10]. The distributed version of trust will affect existing business models and industries, legal systems and governments and ultimately to society as a whole [7]. Blockchains most prominent use case is the digital money Bitcoin, which is proposed for audit functions, exchanges and to host other applications where the often monopolistic central organizations have become inefficient or untrustworthy [10]- [12].
To take a step back, blockchain itself is not the only factor that led to the realization of the necessity to seriously rethink our current systems and structures of powers and wealth attribution [3]. None of today's technological trends (e.g., blockchain, AI, Big Data, Internet of Things (IoT)) would occur without the rise of innovations that enabled immensely efficient data collection and storage spanning across all aspects of an individual's or machine's lifespan (e.g. Apple's iPhone, Intel's microprocessors) -some go as far as calling all that collected data "the new oil" [6], [10], [14], [15].
To loop back to the emergence of AI, new technological advances have been shifting the boundaries of how data can be put into context [16]. In this research, the focus is on personal data or personally identifiable information (PII) as Americans call it [16]. The definition of PII changes with the development of those technologies that increase the chance to re-identify data, using multiple sources [16]. Today almost every digital device that is used by humans and connected to the internet can be used to trace back to its origin [17]. As this kind of data is often closely linked to the identity of a human, it should therefore be protected to the same extend as other rights this individual has.
One successful approach towards regulating what happens to our personal data and the human right of privacy was taken by the European Union (EU) in order harmonize data protection across Europe and strengthen its digital single market strategy [18], [4]. The General Data Protection Regulation (GDPR) that has been put into place in May 2016, will help to achieve exactly that. Its enforcement will prevail after May 25 th , 2018 and significantly increase the value of personal data and shift the ownership of it back to the individual [19], [20].
The research results can further be used to fill a gap in understanding the relationship between blockchain and the GDPR. By providing a high-level overview of an aggregated framework and thoughts collected from 25 subject matter experts, many research pitfalls can be avoided.

Practical Relevance
As previously stated, the topic can again be seen from different points of view. This time the regulatory view is inspected first, as the latest annual report of the European Data Protection Supervisor (EDPS) perfectly describes the practical importance for the regulatory authorities and data protection experts [18]: "It is essential that data protection experts begin to examine the concepts behind blockchain technology and how it is implemented in order to better understand how data protection principles can be applied to it. An integral part of this process should be the development of a privacy-friendly blockchain technology, based on the principles of privacy by design." From the blockchain experts point of view, the uptake and traction the topic has gained are indicated by customer requests that the authors' company BigchainDB GmbH receives, as well as the active participation at an overbooked presentation held by the author [25]. Additionally, whitepapers that serve mainly as marketing material, but do present relevant content, have recently been published by law firms and identity management software providers [26], [27].
Another point of view can be taken from the authors work in the German mirror committee of the International Organization for Standardization (for the ISO TC 307) that currently aims to create international standards for blockchain technology. The topic of the GDPR was raised in the identity, privacy and security working groups [28], [29].
It shows that this research can help set a practical and theoretical foundation for the future development of blockchain and privacy enhancing technology as well as legal frameworks. The author hopes to spark further dialogue between regulators, governments and innovators to drive this topic towards a more equal and fair future for everyone. To draw an accurate picture of future scenarios, this thesis leverages the Delphi method for its core research procedure.

Research Process
The research process presents a high-level overview of the research design and shows how the Delphi method fits it. After initial reviews about potential research topics and brainstorming sessions with colleagues and friends, initial hypotheses were formed that helped to define the research question of this thesis further. These first hypotheses-drafts were presented to the academic supervisors of the author, after which the decision was made to conduct an exploratory study within the field of Future Research Methodologies [30]. After an initial recommendation through one of the supervisors, further literature was reviewed to finalize the choice for conducting a Delphi study. Deeper analysis, conceptualized frameworks and recommendations are discussed to conclude the thesis. The following outline will summarize the structure along the lines of this process and help to navigate through the thesis [32].

Outline
The outlined structure of the thesis closes Chapter: Introduction about the opening remarks of the mutual relationships between blockchain and the GDPR.
Chapter: Background and Literature Review The theoretical groundwork and background on blockchain, the GDPR and existing privacy solutions for blockchain are provided through the results of an extensive literature review. From here hypotheses are concluded that build the foundation for the Delhi study.

Chapter: Research Methodology
The research methodology and Delphi study are demonstrated to prepare the necessary information for its analysis and framework development.
Appendices A to D show the actual questionnaires and complete results of the Delphi study.

Chapter: Results
Firstly, the data gathered in the Delphi method is analyzed and put into perspective. Secondly, a framework of a privacy impact assessment for blockchain technology, comprising guidance for practitioners and researchers, is proposed and discussed.

Conclusion
The studies implications, limitations and recommendations with final remarks are presented, including concrete recommendations for further research.
The author decided to focus his search on the main terms closely related to the topic of this thesis, namely blockchain (also called "distributed ledger" technology by some part of the ecosystem, the term "Bitcoin" was avoided on purpose, as it only presents one use case of blockchain technology) and the GDPR (which includes "privacy" and "data protection regulation") [33], [34]. Literature about the research methodology (see Methodology -Background) was collected as well but is not an integral part of this main review.
These main keywords are summarized in Table 1 (it is assumed that well-known abbreviations do not have to be written out as words outside the List of Abbreviations) that also shows the main sources of the literature review. Besides brief internet searches, six main categories with 13 specific sources were identified to find approximately 150 different pieces of literature (including e.g. scientific journal articles, books, whitepaper and so forth). These have been selected for their relevance to this paper and credibility based on their authors and publication audience. Peer-reviewed literature hardly exists, as both fields are relatively new [34], [35], [36]. Within the scope of this thesis, the following chapter outlines a strongly compacted summary of the main topics. In the first part, the data protection regulations in the EU are revised, and the main challenges of the GDPR implementation with regards to blockchain are described. In the second part, the main concepts of blockchain will be defined and explained for further use in outlining existing privacy solutions for blockchain. In a third part, this theoretical foundation is used to create the main hypotheses as a basis for further investigation within the Delphi study.

Data Protection Regulation in the EU
"The improvement in substance is that there's far more transparency under the new rules, which means that you will have more detailed information policies about what your data are processed for, which purposes if they are given to others, and there will be also in general more possibilities to get a view of which data are there about you. And you have new rights like data portability and the right to be forgotten. So, it will be far easier for consumers to control their personal data." Jan Philipp Albrecht summarizes the substance of the new data protection regulation in the EU [37]. As a member of the European Parliament (MEP) he became known as the father of the GDPR and the author is happy to have gained him as a participant in the Delphi study. [38]. The next section will discover the journey of data protection regulations towards the GDPR.
2.1.1. Before the GDPR Data protection law in the EU goes along very carefully with the development of information technology (IT) as shown in Figure 2. Without going into every detail of this chart, the most important points along the journey towards the GDPR (this chart was created in January 2016, therefore the question marks about the actual adoption) will be mentioned.  [39] Adding to the historical perspective of the very detailed work of Van Alsenoy (2016), who identified four main periods, each of which will be related to the pervasiveness of IT (from the previous Figure) during that time [40]. This relation will give a broader implicit perspective of the necessity of data protection regulations during those periods: 1. The emergence of national data protection laws (1970)(1971)(1972)(1973)(1974)(1975)(1976)(1977)(1978)(1979)(1980) Van Alsenoy further describes the appearance of data protection as a kind of policy issue, that was bound to the 1960's transition to a post-industrial economy, as a time of extensive social and economic change. To administer this change governments began to use the advances in computing technologies to gather data about citizens that led to a paradigm shift of rethinking the nature of the relationship of the state to the individual [40]. The first data protection laws were adopted by the German State Hesse in 1970, followed by the country of Sweden in 1973 and Germany, France, Denmark, Norway and Austria in 1978 [40], [41].
This period was the time that Xerox invented the Ethernet and Microsoft got founded to put the first personal computers (PC) moved into individuals' households [42].
2. Internationalization (1980)(1981) The Organization for Economic Co-Operation and Development (OECD) formalized its first initiative (Guidelines on the Protection of Privacy and Transborder Flows of Personal Data) to prevent the growing national concerns about cross-border data flows that were seen as potential threads that would lead to losing legal control over data processing activities [40]. The success of this first international guidelines is described by further quoting Van Alsenoy: "By incorporating a certain degree of abstraction, the OECD managed to forge a consensus among experts from both sides of the Atlantic, who at times hold very diverging views on how to best implement privacy protections." The PC was going into a phase of mass adaption, and the first computer games appeared on the markets [43].
3. National implementation (1982)(1983)(1984)(1985)(1986)(1987)(1988)(1989)(1990)(1991)(1992)(1993)(1994) During this timeframe, national bodies started to adapt their national data protection laws to the OECD guidelines. Specifically, the UK Data Protection Act of 1984 and the Belgian Data Protection Act of 1992 are seen to be major milestones towards an EU-wide data protection framework, as they were both characterized as "rush jobs" that would further force the EU to push for a harmonized action [40].
The development of PCs (Apple and Microsoft) and microprocessors ran in rapid exponential growth and led to the development of the Domain Name System and ultimately the first implementations of websites on the internet as it is known today [43], [44].

European harmonization (1995-2016)
The EU managed to publish the European Data Protection Directive (DPD) on the protection of individuals privacy with regards to the processing of personal data and the free movement of such data [45]. The directive still only served as a guideline that did not require implementation measures for national bodies. It had two goals [19]: "[…]to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States." Several directives to specify forms of digital communication were submitted in the subsequent years, until finally the Article 29 Working Party -an independent EU advisory board, established in 1996, that includes data protection authorities of each EU members state, the EDPS and the EU Commission -made a reform proposal in 2012 for an EU wide data protection regulation [45], [46]. A regulation differs to a directive, in that it overrides national law immediately upon activation while adding strong 2.1.2. Introduction to the GDPR This section will outline the purpose and structure of the GDPR. It will then describe its impact on the EU and present the key definitions and concepts.

Purpose
With the previously described DPD the minimum standard for data protection law in the EU was set, but it still made it very difficult for organizations to determine which member states law applies when dealing with cross-border data flows. The EU commission finally decided that a single harmonized and enforceable law for all member states should achieve two main goals [19]: 1. Protecting the rights, privacy and freedoms of natural persons in the EU. 2. Reducing barriers to business by facilitating the free movement of data throughout the EU.
These goals go along the line of the new overall single market strategy of the EU [18], [50]: "The Single Market is at the heart of the European project, enabling people, services, goods and capital to move more freely, offering opportunities for European businesses and greater choice and lower prices for consumers. It enables citizens to travel, live, work or study wherever they wish." This is achieved by the aforementioned differentiation to a directive. Regulations are, hence, an efficient mechanism to apply a consistent approach to all 500 million people in 28 member states -and frequently beyond [19].

Structure
The GDPR is split up into two broader sections, which is standard for EU directives and regulations [20]. The first section contains the recitals, which essentially provide broader context, direction and guidance for better understanding the explicit requirements set out in the articles in section two [51]. These articles provide the scope to which entities must comply. A summary of the articles, which are categorized in chapters, is shown in Figure 3. This helps professionals to navigate through the regulation, as not every article applies to a single organization -often only a few articles are relevant for a specific case. [52]. The GDPR tries to set out specific restrictions on the usage and storage of personal data while preserving the interests of both the EU citizen and the organizations that do business within it. An organization that is acting quickly to ensure compliance with the GDPR will thrive in the evolving regulatory environment, potentially also using its compliance as a marketing advantage [53]. In the way of improving existing business practices, some organizations will be able to make essential process improvements and use the standardized regulation to streamline these processes for EU and pan-EU operations for significant efficiency gains [41], [46]. It will further lay a foundation for new proposals on specific digital laws, like the e-privacy directive (especially about internet cookies) for electronic communications [19].

Key definition and concepts
The definitions and concepts of this section are limited to provide a minimum understanding of the topic. As the GDPR has around 200 pages, it would be out of the scope of this thesis to provide a very detailed overview [19]. Further definitions and concepts might be introduced in the context of other parts of this thesis later. Others (relating to specific articles or recitals) might not at all be looked at. This study is not a juristic research; hence it is recommended to check the reference section to open the actual legal text if deeper clarification is needed.
• Chapter I -General Provisions: Articles 1-4 • Chapter II -Principles: Articles 5-11 • Chapter III -Rights of the data subject: Articles 12-23 • Chapter IV -Controller and processor: Articles 24-43 • Chapter V -Transfers of personal data to third countries: Articles 44-50 • Chapter VI -Independent supervisory authorities: Articles 51-59 • Chapter VII -Cooperation and Consistency: Articles 60-76 • Chapter VIII -Remedies, liability and penalties: Articles 77-84 • Chapter IX -Provisions relating to specific processing situations: Articles 85-91 • Chapter X -Delegated acts and implementing acts: Articles 91-93 • Chapter XI -Final provisions: Articles 94-99 The following five terms are used throughout the thesis and should be clearly understood from the outset [51]: Personal data and data subject (Article 5, Clause 1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It means that the information is not personal data (or anonymized data) only if there is no way imaginable to link it to a person, pseudonymized data, on the other hand, is data that cannot directly be re-identified. [52]. The personal data definition specifically includes specific data types, such as biometric, genetic and health information, as well as online identifiers. It does not extend any rights to deceased persons [52].

Controller (Article 4, Clause 7)
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; This means that the controller determines the purpose and the processing that will be done. To give an example (similar to one from [19]): if a firm X hires a marketing agency to profile and analyze customers, it is very likely that it will only see a result and no actual data points. Given that it determined the purpose for which that data was processed, however, it stays the data controller and the marketing agency the processor. This means that firm X could be made responsible for how the marketing agency handles that data collection.
Processor (Article 4, Clause 8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; As stated before, these are any organizations or entities that process PII in the name of a data controller. Data processing is essentially considered anything that is done to the data, including its storage. An organization or entity can be both data controller and processor [19]. This point is specifically important for any considerations of processors (third party service providers) outside the EU, as the data controller could still be made responsible by a supervisory authority in such case [52].
Supervisory authority (Article 4, Clause 21) 'supervisory authority' means an independent public authority which is established by a Member State pursuant to Article 51; The supervisory authority in other words, is the governmental organisation in each member state that will be responsible for the enforcement of the GDPR [52]. The EPDS is the supervisor of the national authorities that monitors the processing of the national bodies and can step in for specific adequacy decisions in which a national body is not able to conclude a neutral assessment [18].
Other important concepts relevant for understanding are summarized in the following section from a guideline from different law firms and the EDPS annual report [54], [18], [27].
• The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right: it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights […], in particular […] freedom to conduct a business […]. (Recital 4) • All personal data of all EU citizens are subject to comply to the GDPR. This means Non-EU companies that aim to process personal data of EU citizens must abide by the GDPR (Territorial Scope, Article 3).
• Automated data processing: This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
(Material Scope, Article 2) • The Right to be forgotten (RTBF) -a data subject has the right to have all related personal data erased (Article 17). • Consent -the data subject has the right to timeliness, erasure, rectification, access, restriction of usage and portability for their personal data. Information provided should be in clear and plain language stating a specific purpose for using the data. All policies, i.e. terms and conditions, should now be transparent and easily accessible (Article 6-9 and its recitals according to [51]). • Six privacy principles (Article 5) are applied, namely 1) Lawfulness, fairness and transparency, 2) Purpose limitation, 3) Data minimization, 4) Accuracy, 5) Storage limitation, 6) Integrity and confidentiality. • Mandatory 72-hour data breach notification to the supervisory authority (Article 33, Clause 1).
• Strong Sanctions -in the case of failure to comply, administrative fines are defined to the limit of 20 million Euros or 4% of global revenue, whichever is higher (Article 83, Clause 5). • Data protection by design and by default (Article 25) is supposed to address privacy risks not only as a legal restriction for processing personal data, but to meet privacy concerns in the early stage of IT architecture design: When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. (Recital 78)

Implications of the GDPR for blockchain
The following Table 2 summarizes the findings of literature -mainly consisting of articles from legal journals or whitepaper of legal and blockchain companies -that specifically included a view on blockchain and the GDPR. After the main topic, the mentioned articles and recitals of the GDPR (only the ones mentioned in the original literature) help to prove the statement, after which the implication for blockchain summarizes the content relating to it. These will be the basis to form the hypotheses by the end of this second chapter. Usage of BC for an audit trail.

22, 23
The debate of public versus private BC and who would become the (joint) data controller if data is stored on multiple locations in and outside the EU?
Personal data on the blockchain [21], [26], [24] Art. 4(1), 6(4),32/ Rec. 26 Can PD be stored on the blockchain or must be offchain? The connection between pseudonymised and anonymised data and the data subject. Accountability of data controller [21], [26] Art. 26 BC runs counter to data minimisation, storage limitations and a clearly determined data controller, raising the question whether it is in line with 'Privacy by Design' (PbD). Privacy risks of entire ITarchitecture, including BC. Solutions could be Enigma or differential privacy or future more secure BCs. Right to be forgotten (RTBF) and functioning principle [21], [26], [56] Art. 17,17(1)(a,b), 6(1)(b,f)/ Rec. 69 Can data on a blockchain be deleted in accordance to the RTBF and what would happen if not -could the functioning principle take over that allows for specific interpretations of the GDPR, as BC is at its core designed not to be compliant to the RTBF. Technical neutrality of the GDPR [21] Weighing the objectives of BC versus privacy concerns. PbD could be achieved by mitigation measures, lack of data controller could pose the biggest challenge. Private vs public and permissioned vs nonpermissioned BC [21], [26] This relates to accountability, material and territorial scope.
Data protection impact assessment (DPIA) [26] Through append-only function BCs often use very sensitive data, resulting in a high risk to the rights and freedom of the data subject (DS) -would always make a DPIA mandatory.

Lawful Processing in the EU [27]
Art. 6 Six reasons can be used to comply with lawful processing, and a data sharing agreement can be recorded on a BC. Certification for blockchain [24] Similar to existing regulations (e.g., information security or electronic identity) it is suggested to create a certificate for trusted blockchain users.

Blockchain
"You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete." This quote from Buckminster Fuller, who was an outstanding American architect and systems theorist, is often used by blockchain enthusiasts to describe the phenomenon of the new digital systems of values that were created and co-existed in parallel to traditional systems [57], [58]. Its best example is the wellknown cryptocurrency Bitcoin [59].
The following part will firstly dive into the explanation of blockchain and its main concepts before it summarizes existing privacy solutions that are applied or conceptualized for existing blockchains.

Background and definition
To stay within the scope of this thesis this part will be limited to the main concepts and definitions. The same principle as for the previous part about the GDPR applies, in that further definitions and concepts might be introduced in the context of other parts of this thesis (especially the Delphi study), whereas others might not at all be looked at. The first two sections will look at a brief background and detailed definition of a blockchain. Following a similar structure of the GDPR's Key definition and concepts, other key concepts will be summarized in the third section.

Background
The evolution of blockchain technology began in 2008 with a whitepaper -introduced in a private mailing list called cypherpunks -by an anonymous author or group of authors, who called themselves Satoshi Nakamato: "Bitcoin: A Peer-to-Peer Electronic Cash System" [60], [8], [61]. The first use case of blockchain was digital money, also called cryptocurrency (because of the cryptographic technology used for it) [62]. It was created to solve the problem, that individuals must trust centralized financial institutions to manage all digital payments and keep transactions, funds and privacy secure [59], [63].
Trust is the essential element here. The new concept introduced direct digital interactions without trust towards a central intermediary [62]. After other attempts before Bitcoin, it was the first to succeed finally [62].
The second main innovation in the blockchain field followed 6 years later in 2014, by proposing the concept of a decentralized worldwide super computer that can be used for more than just digital money transfers. Intelligent computer algorithms were introduced that can execute code autonomously -a concept called "Smart Contracts" -was presented by Vitalk Buterin and the founders of Ethereum [62], [64], [65].
Along the roads of these two major innovations, it was understood that the underlying technology "blockchain" and thought-concept following it, could be used for decentralizing and decoupling intermediaries in any industry or sector as its know today (e.g. BigchainDB for data storage, or ascribe.io for fair digital art distribution and contribution) [7], [13], [66].

Definition
Blockchain technology is still under very active development, as for why a formal definition of the terminology has not been established yet [12]. Another challenge presented are the different perspectives blockchain can be viewed from. One ontological approach to describe these views is taken by categorizing blockchain terminology into three layers seen from a transactional perspective shown in Figure 4 [67]. The datalogical layer uses a technical view that describes blockchain as a data structure in a technical sense. This is further described in the next section [60], [67]. The infological layer helps to abstract the data structure level by adding information that makes it more accessible for a nontechnical point of view [67]. The term "distributed ledger technology" (DLT) is an example of this layer and adds a new, arguably financially motivated, aspect to it by abstracting the linked list of transactions to a "ledger" [12], [28], [56]. The term DLT is often used interchangeably with blockchain [28]. The essential layer is what is created directly or indirectly by communication, meaning it can present the business, legal or process improving an aspect of a blockchain [68], [69].
To put the last two layers into the context of the potential social change that blockchain brings along, de Kruijff and Weigand describe it as followed [67]: "Communicative acts typically establish or evaluate commitments. In a narrower sense, a commitment (promise, commissive) is about what an actor is bound to do (so what is right in a future situation). Such a commitment being agreed upon by two parties is a change in the social reality, as is the agreed upon fulfilment of that commitment.
Given the institutional context to be in place, an infological blockchain transaction moving some value from one account to another represents a change in this social reality (e.g. transfer of ownership). Such a change is what we identify as the essential blockchain transaction." Another angle to defining blockchain terminology is taken by an initiative within the official international standardization work [28], [29]. The author is part of one project that feeds into this work within the German national standardization body -German Institute for Standardization (DIN) -that aims to create a blockchain terminology [70]. In the resulting definition of blockchain, one can implicitly find the aforementioned ontological approach again. As the work is still in progress the

Essential layer
Transactions as commitments and economic events for resources

Infological layer
Transactions as inputs and outputs between accounts stored on a ledger

Datalogical layer
Transactions are cryptographically verified and stored indefinitely in a chain.
outcome presented reflects only the current state of the blockchain definition (it is agreed with the committee to share this information in the context of this thesis). Hence a blockchain is: A distributed database that is practically immutable by being maintained by a decentralized P2P network using a consensus mechanism, cryptography and back-referencing blocks to order and validate transactions.
Note 1 to entry: A blockchain has a tree shaped structure where each element in the tree is a block that starts with the genesis block at the root, with each block potentially having multiple child blocks. Each child block, besides the genesis block, contains a hash-value of its parent block.
Note 2 to entry: Since adding a child block to the tree involves calculating a new hash over its parent, no block in a tree path can be changed without invalidating the hash of the child block.
Note 3 to entry: Practically immutable means that within the confines of current technology and known attack vectors records are immutable.
Note 4 to entry: Usual blockchain applications connect child and parent blocks to lists, which is only a specific form of the more general tree.
The next section will explore how the blockchain works in more detail, adding more context to the definition.

How blockchains work
This section will take a systematic approach to describing how a blockchain works in more detail. To sum up the previous definition, a blockchain is an innovation that itself relies on three concepts: peerto-peer networks, cryptography, and distributed consensus using the resolution of a randomized mathematical riddle. None of these concepts is by itself new but in combination allowed for the computing breakthrough of the blockchain. More details of cryptography used in the blockchain will follow in the next main section: Existing privacy solutions.

Exchange of digital values
Decentralized peer-to-peer (P2P) networks have existed with Freenet or BitTorrent [71]. The blockchain now enables an exchange of values (often referred to as a token), instead of media [62], [72], [73]. These P2P networks are distributed systems that must solve a difficult computer science problem: the resolution of conflicts, or reconciliation [74]. Traditional databases, like relational or object oriented databases, offer referential integrity, but in a distributed system this does not exist [74]. To arrive at a consistent value, the system needs to have rules in place to determine which value is considered valid. One of the toughest problems to solve is the double spending problem, in which one instance sends the same value to the network twice, but only the one arriving first will be excepted as such [63]. The other one will be made invalid. To guarantee integrity within a P2P network, every participant needs, to, therefore agree on the order those values arrive [60]. For that, a consensus mechanism is required. Consensus algorithms for distributed systems have been actively researched for decades (e.g. Paxos and Raft algorithms).
The blockchain uses different consensus algorithms. Currently, the most used algorithm is called proofof-work consensus, using mined blocks based on electricity power [60].

Hashes and blocks
A blockchain functions by storing its transaction data (e.g., transfer of value) in digital containers called blocks [10], [60]. Each block is linked to its parent block through unique digital fingerprints termed hashes [10], [60]. A hash is a simply a cryptographic function that maps data of any arbitrary size to a fixed size, called hash value (or hash) [10], [60].
This is a cryptographic hash value of the first-round Delphi questionnaire word document (see Appendix A), simply created using an online hash generator [75]: 25644cccfd395429c9462929cdfbc5b6d6cd952aed30a432501c847e17883249 By making a trivial change to it (adding a single letter to correct a spelling mistake), the same algorithm produces the following outcome: 7845a160ca8a4ba6691f9dfa2d3342c51b7572e8fbd82727606a9a27fbc9814e As evidenced before, both hashes are different but have the same length. There is currently no known way to reverse engineer the original input from the cryptographic hash (hashes can be broken, but it is assumed that they are developed along the same time line as the algorithms able to break them) [64], [72]. Figure 5 shows the simplification of a chain of blocks that further uses timestamped hashes in a header at the top of each block of information (the Merkle root, which is basically a hash of all hashes that helps to create a Merkle tree to trace the Bitcoin blockchain transactions without having to download the full blockchain, was left unexplained on purpose as it is out of scope of this explanation) [76]. This history of transactions stored in the blocks is linked back to the initial or genesis block (for a Bitcoin specific consensus algorithm called proof of work an additional string called nonce is used together with a hash function -can be ignored here) [60]. The information stored in blocks is to its current measures highly tamper resistant (practically immutable) even by those who store and process the information [12]. This is made possible by independent validation nodes that come to a decentralized consensus for every transaction that has occurred [60], [77]. Consensus algorithms ensure that the participants of the P2P network agree on one truth (e.g. Bitcoin uses electricity in their proof of work consensus, other consensus algorithms are used for specific needs and not to be discussed in more detail in the scope of this thesis) [60], [77].

Mining
The process of looking for blocks and creating consensus is called mining because block mining brings an economic reward -some form of value (e.g. Gold) [60], [62]. This is the reason why nodes in a blockchain are also called miners. Not every node has to be a mining node; this is a voluntary process that each owner of a node can choose to enable [62]. The process in Figure 6 shows that nodes in the chain create a new local block with pending transactions. They compete to find out if their local block becomes the next block in the chain for the entire network, by solving a cryptographic puzzle [60], [76]. If a node solves the puzzle first, then it earns the ability to publish their local block, and all transactions in this block become confirmed [60], [76]. This block is sent to all other nodes in the network. All nodes then again check that the block is correct, add it to their copy of the chain, and try to build a new block with new pending transactions [60], [76].
Finding the random solution and winning the race to validate a block is by design extremely difficult. This further prevents fraud and makes the network safer (unless a false actor owns more than half of all nodes in the network) [60], [76] [12]. Consequently, new blocks get published to the chain at a fixed time interval (in Bitcoin, blocks are on average published every 10 minutes). To not only use the blockchain for storing and exchanging value through transactions, intelligent computer algorithms (or programs) were added to the construct [78], [79].

Smart contracts
A blockchain can execute so called smart contracts, which are programs that replicate together with the transactions, and every node executing them when receiving these transactions [78], [79]. This allows for a distributed consensus on the execution of a promise coded into the blockchain. The idea of pre- programmed conditions, interfaced with the real world, and broadcasted to everyone, is the second core reason for the blockchain evolution [78], [79], [64], [65].
A legal contract in the real world is a promise that signing parties agree to make legally-enforceable [80]. A smart contract is essentially the same, except being truly deterministic and only technical enforceable [64], [65]. Smart contracts in a blockchain could allow getting rid of the bank, the lawyer, and the court by just writing a program that defines how much money should be transferred in response to certain conditions [78], [79], [64], [65]. To interact with the real world, blockchains need sensors and actuators. The applications relying on smart contracts are called Decentralized Apps (DApps) [78], [79], [64], [65]. The next step in the blockchain revolution is therefore directly dependent on the evolvement of mainstream IoT adoption [78].
The strength of the Bitcoin and Ethereum blockchain lies in there fully decentralized characteristic, which also brings many downsides when thinking about values and transactions that need to be kept private [64].

Public, private, permissioned and permission less
Just like a database, a blockchain can be private or public and permissioned or permission less [12], [73].
A public blockchain (e.g. Bitcoin or Ethereum) is characterized by being open to any entities that want to join the P2P network, on the other hand, a private blockchain only allows pre-selected participants in the P2P network [12], [73].
The other differentiate the entities that are authorized to conduct the consensus process. In a permissioned blockchain, these entities are pre-selected, whereas in the permission less blockchain anyone is allowed to participate in that process (e.g. Bitcoin miners) [12], [73].
To list a few examples, a group of the largest banks around the world is working on a private, permissioned blockchain that enables global payments for its internal use, called Ripple [49]. Another blockchain network called Interplanetary Database (IPDB) offers a permissioned public blockchain with the aim of allowing anyone to store data immutably, but by pre-selecting the consensus processing nodes to provide fair governance [81].
Governance is one of the big pain points of existing blockchain solutions, as it becomes difficult to make a bad actor accountable for his behavior in a fully decentralized system [82]. This directly relates to the issue of privacy [83]. Since the invention of blockchain in 2008 many approaches and potential solutions have been thought of to solve the issue of privacy, the next section will explore which ones.

Existing privacy solutions
Privacy concerns in blockchain solutions should be differentiated for private and public blockchains, but in both cases present a valid concern [84]. For public blockchains statistical tools, like a graph analysis in combination with web scraping tools have been used to re-identify Bitcoin wallet holders and private keys [84]. It works by tracking transactions on multiple layers and combining them with many data sources (e.g., public Bitcoin transactions with IP addresses) [84]. The same issues arise for private blockchains, adding to it, regulatory and security concerns that need to be solved to make blockchains usable for real business cases [84], [48]. This mechanism solved the problem of intent, thus creating a digital signature [87]. These signatures are currently used for blockchain wallets and cryptocurrency exchanges [88]. To increase privacy in public and private blockchains cryptographers have come up with many techniques to avoid any reidentification through statistical analysis. Since cryptography is a highly complex topic, the following two tables take an approach to briefly summarize these techniques through a comparison based mainly on two blog articles from Buterin (2016) and Samman (2016) [87], [88]. Table 3 showed the well-known and tested cryptography (run over many years and mostly already broken by someone), whereas Table  4 is showing cutting-edge cryptographic techniques [87], [88].
The tables name the techniques, followed by an explanation and their limitation. Application using the technique presents the last column. Often the practical applications will use a combination of techniques to increase security and privacy. This fact is indicated by an application being underlined and employed in multiple parts of the tables (e.g., Monero uses stealth addresses and ring signatures).  [95], [96] Another explanation of encryption in the words of Breitman (2016), another thought leader in encryption and identity, helps to understand the next table better [97]: "Encryption refers to the operation of disguising plaintext, information to be concealed. The set of rules to encrypt the text is called the encryption algorithm. The operation of an algorithm depends on the encryption key, or an input to the algorithm with the message. For a user to obtain a message from the output of an algorithm, there must be a decryption algorithm which, when used with a decryption key, reproduces the plaintext." Each party will only get a binary reply to a privacy related question, i.e. a Yes or a No without the need to know the actual content of the reply (e.g., age for a driving license has to be over 18 in Germany, only that has to be known to drive, not the actual age).
Heavy computation needed, eventually dependent on the third party to provide the proof (e.g., government) Zcash, Hawk [64] Commitment schemes A message is sent to a receiver, but can only be opened later, after a certain commitment has been fulfilled.
Not a stand-alone solution. Zcash, Blockstream [98] Sidechains Similar the escrow idea of state channels, but bound to a certain commitment before being activated.
Only in combination with other techniques truly able to increase privacy.
Blockstream (enables so called confidential transactions)

Homomorphic encryption
Homomorphic encryption is a used to perform calculations on encrypted information without decrypting them first.
Heavily increased computation times.

Blockstream
Indistinguishability obfuscation A program is put into a black box, while keeping its internal logic unknown and still creating the same input and output.
Very high computational power, very complex to set it up.
Not used in practice yet In private blockchain environments, often consortiums are formed in which the members compete, but see a benefit of using a shared, secure and unchangeable data source for transactions between them (e.g. R3 with Ripple) [49], [92]. Another consortium is the Digital Asset group, which conducted one of the most conclusive studies on privacy solutions for blockchain, finding that personal data should never be stored on a blockchain [99]: "Reflecting the requirements of both customers and their regulators, it is Digital Asset's position that confidential data should never be stored by a party not entitled to view that information, even if obfuscated or encrypted." Vitalik Buterin, the founder of Ethereum, adds to this by summing up privacy related issues to blockchain in the following way [87]: "In these cases [blockchain used for more data-centric application like timestamping, high-value data storage, proof of existence (or proof of inexistence, as in the case of certificate revocations)], it is once again important to note that blockchains do NOT solve privacy issues and are an authenticity solution only. Hence, putting medical records in plaintext onto a blockchain is a Very Bad Idea. However, they can be combined with other technologies that do offer privacy in order to create a holistic solution for many industries that does accomplish the desired goals, with blockchains being a vendor-neutral platform where some data can be stored in order to provide authenticity guarantees." This thesis aims to find out how such authenticity guarantees could look like with regards to the GDPR and in what context personal data could be protected in a solution that includes a blockchain in its architecture.
The next section will explore the hypotheses which were from with the knowledge of parts above of this chapter.

Hypotheses
The main research hypotheses are supposed to provide the basis for the creation of the first set of questions for round one of the Delphi study as well as answering the open questions presented in the literature review. The primary objectives of this thesis, as drawn up in the Research Goal section, were to find out about the "interrelationships between blockchain and the GDPR".
To conclude with five general research hypotheses, the six research questions (three from each view) from the same section were put into perspective of the literature review: 1. What is the impact and relevance of the regulation towards the development of blockchain technology?
What should be done to help blockchain developers to become GDPR compliant, without hindering its innovative impact?
The previous section about the Implications of the GDPR for blockchain reflected the limited current state of research about both topics relationship to each other. The hypotheses drawn from it are: H1: Blockchains have an impact on personal data.
H2: Data protection regulations will have a relevant impact on blockchains related to personal data.

How to make a blockchain compliant to the new regulation?
Can a blockchain be privacy-friendly by being developed along the principles of privacy by design?
Looking at the same part, but also keeping in mind the Existing privacy solutions, the following two hypotheses are formulated: H3: Personal data cannot be stored on the blockchain directly, but indirectly.
H4: Blockchains can be designed in a privacy-friendly manner by using the approach of privacy by design.
3. How could a blockchain be used as an application for GDPR compliance? How could a blockchain help regulatory bodies?
To create the two-sided perspective and relating to both previously mentioned parts the following hypothesis finalizes this view: H5: Blockchains can help to solve (privacy) challenges accompanying the implementation of the new GDPR.
The next chapter will explore the research methodology, using the knowledge gathered and the hypotheses drawn to design and formulate the Delphi study questionnaires.

Chapter: Research Methodology
This chapter provides an overview of the chosen methodology, the Delphi method (interchangeable with "Delphi" and "Delphi study). Along the lines of the high-level research process, Figure 7 visualizes how this chapter will start with the background of the Delphi method succeeded by its suitability assessment. In an upcoming step, the selection procedure and background of the expert panel (the research sample) are introduced. Followed by the questionnaire design, that includes the research hypotheses, and in between analysis, the chapter ends with the actual data collection. Deeper analysis, framework concepts and recommendations are discussed in the subsequent chapters.

The Delphi Method 3.1.1. Background
The Delphi method is an iterative and structured group interaction process used for obtaining consensus and gathering future outlooks on a complex topic [100]. First developed by the military backed RAND corporation in the 1950s, the objective of the original study was to "obtain the most reliable consensus of a group of experts ... by a series of intensive questionnaires interspersed with controlled opinion feedback." [31].
The typical Delphi steps (simplified) are shown in Figure 8: Today, the Delphi method is used to form diagnosis, prognosis and prescriptions in a variety of research areas [33]. The number of rounds and participants of a study depends on the convergence or cohesion of the respondents, and not necessarily on the consensus. Coates (1975) found that [102]: "The value of the Delphi is not in reporting high reliability consensus data, but rather in alerting the participants to the complexity of issues by forcing, cajoling, urging, luring them to think, by having them challenge their assumptions." This research aims to discover mutual relationships between blockchain and the GDPR -while triggering new thought processes, gathering diverse opinions and strengthening the topics understanding -of an expert panel.
Regarding this study and the diverse subject of blockchain on the one hand and data protection, in the form of the GDPR, on the contrary-two different fields were looked at. As blockchain at its core belongs to the technology sector and the GDPR to the policy sector, propriety is proven by looking at previous uses of the Delphi method in these fields.
In Information Technology (IT) and Information Systems (IS) research, the Delphi study has been used to specify and determine project requirements and criteria for prototyping or ranking of technology management issues in new product development projects [103]. The method has since been modified in many ways, and while a typical Delphi study consists of three rounds, many subsequent studies have used one, two or four rounds. According to Skulmoski, Hartman and Krahn (2007), sample sizes within these studies varied from 4 to 171 experts [103].
Policy Delphi studies, which seek to generate the strongest possible opposing viewpoints on a policy issue from expert panels, have been used since 1980's and are used in actual policy evaluation and development, e.g. by the European Commission JRC [104]. These studies can consist of multiple expert panels in different fields, and sample sizes are significantly bigger, as these studies are often well funded and led by expert teams [104].
Thirdly, the list with its indicated rating and consensus is send again to be revised by the expert panels opinions or reasons for retaining or not retaining the consensus with the group.
Secondly, an aggregated list of hypotheses is created that again is send to the expert panel for rating or analysis through a chosen heuristic.
Firstly, a questionnaire is send to a panel of experts that asks for opinions involving experiences, judgments or predictions.
1. Imposing monitor views and preconceptions of a problem upon the respondent group by over specifying the structure of the Delphi and not allowing for a contribution of other perspectives related to the problem. 2. Assuming, that Delphi can be a surrogate for all other human communications in a given situation. 3. Poor techniques of summarizing and presenting the group response and ensuring common interpretations of the evaluation scales utilized in the exercise. 4. Ignoring and not exploring disagreement so that discouraged dissenters drop out and an artificial consensus is generated. 5. Understanding the demanding nature of a Delphi and the fact that the respondents should be recognized as consultants and adequately compensated for their time if the Delphi is not an integral part of their job function.

Suitability
As Delphi is not the only option for exploring theory from qualitative data, the choice of the method is based on considerations of a) the nature of the research problem, b) interaction and consensus within an expert group, c) practical feasibility and d) comparison to other methodologies. a) Nature of the research problem As proven in Chapter: Background and Literature Review, both research topics are very new and hugely complex, hence subject to unknown circumstances. This means it does not lend itself to precise analytical analysis, which plays to the strength of the Delphi study to benefit from "subjective judgments on a collective basis" [101].
b) Interaction and consensus within an expert group As defined previously, the Delphi method helps to structure a process for communication between individuals. These individuals are expected to have different views on the topics, as they come from various fields of expertise. The Delphi study helps to conclude with general frameworks that summarize collected consensus and dissent. It also prevents the bias through its following core characteristics, identified by Dalkey (1967) as [101]: 1. Anonymity -the participants, will not know of each other; 2. Controlled feedback from the interaction -reduction of disorder among participants through aggregated hypotheses during the interview rounds to evaluate answers in comparison to the groups' opinions; and 3. Statistical group response -the individual views can be analyzed through quantitative and statistical measures to be compared to a final group response.

c) Practical feasibility
Many experts would not be able to attend a personal meeting at a pre-determined place and time, as they usually adhere to time and location constraints within their professional obligations. The Delphi study overcomes these constraints, by giving the respondents flexibility towards answering the questionnaires digitally and in their own time.

d) Comparison to other methodologies
In the following Table 5, specialists from the European Commission have compared different research methods to understand their applicability. It is not within the scope of this research to examine each methodology in more detail.
For understanding the suitability of the Delphi method for this study, the table shows its benefits across all factors considered. Specifically, it is exploratory but still structured (not open) nature, and its quantitative and qualitative capabilities benefit to the purpose of this research on the GDPR and blockchain. The Delphi method has finally been chosen as it is not a substitute for other scientific examination, but rather an option for complex and intertwined subjects that cross over disciplinary boundaries [100]. It is proposed to conclude practical recommendations and aggregated frameworks, that help better understand the implications of the interrelationships between blockchain and the GDPR. As blockchain is a relatively new topic, whereas personal data protection (includes the GDPR) is not, experts with different measures for expertise were selected from the field of data protection and blockchain, or both. Since experts with extensive knowledge or experience in both areas are difficult to find, some participants had knowledge of blockchain or data protection, but were still regarded as able to provide useful input. Blockchain experts come from various backgrounds, because the technology brings together legal (private and public law), business and technological expertise. Figure 9 shows the combined expertise of 643 years across the 4 categories of considered important for this study. It considers all experts replies that took part in either round one or round two of this Delphi study and proofs a high degree of collective knowledge and experience. To put this number into a vague perspective -the first data protection regulation was proposed 47 years ago and the first mention of blockchain in the context of this research 9 years ago (see Chapter: Background and Literature Review for clarification). This information has been drawn from a self-assessment section that was added to each rounds questionnaire to further determine the experience and knowledge of the experts, based on a similarly described Delphi study (Schmidt, 1997) [105]. As an additional measure of expertise, it was asked how many years were spend in study specific fields (blockchain and data protection regulation) and how many study specific projects have been conducted. A project, defined by the Cambridge Dictionary as "a piece of planned work or an activity that is finished over a period of time and intended to achieve a particular purpose", helps to further evaluate the level of experience [31], [106]. The concluding data will follow in the next sub-chapter about the Data Collection and Questionnaire Design. To summarise, for this study the experts are pragmatically defined along the lines of the Oxford Dictionary as [107]: Specialists in either or one field mentioned before, that bring along enough experience and knowledge to be able to provide grounded in-depth answers to the questions in each round of this Delphi study.

b) Capacity and willingness to participate
All experts have been individually invited to participate on a voluntary basis and where only bound to their own interest in the study itself.

c) Sufficient time to participate
In each round the experts had approximately two weeks to participate. A regular reminder was send and the total time effort to answer each questionnaire varied from 20 to 60 minutes.

d) Effective communication skills
In the time the survey was send, each expert worked in an institution that requires excellent communication skills to be able to exceed in their field.
The experts where selected and contacted based on recommendations through business contacts sponsored by BigchainDB GmbH, outreach to regulatory and government officials through official Experts where invited from different EU countries, as the GDPR is of substantial interest for this localization. One exception was made for an expert from South Korea, who is leading the international standardisation initiative about blockchain and identity. Figure 10 shows the countries of residence of the experts that participated in at least one round. Most of the participants live and work in Germany, which is also the authors country of residence. The focus on Germany can be considered a good choice and not a bias, because on the one hand it is known for its high expertise and strictness in privacy regulations and on the other hand it provides a central hub for blockchain technology experts from all over the world, i.e. the country of residence does not equal the country of origin and therefore does not create biased opinions [113], [114].

Questionnaire Design
Before jumping into the specifics of how round one and round two of the Delphi survey were created, it is noted that the questionnaire designs within a Delphi study vary greatly [74], [77], [78]. This is partly based on the nature of the research question and partly on the subjective view and creativity of the researcher [33], [103]. The author decided to use the structure of a Delphi study of one of his supervisors as a benchmark to design the Delphi along those lines [77]. Round one of the study is used to ask semi-structured questions related to the initial research hypotheses. Round two aggregates the replies of round one and gives the expert panel the opportunity to rank these along a Likert Scale, still allowing for additional comments [116]. Because of the nature of the research topic -a complex future focused topic, that increases difficulties for consensus, because it draws from opinions of predictive and subjective nature -and in contrary to traditional Delphi studies, an optional round three in the form of a mini-workshop was suggested to discuss resulting frameworks and recommendations in a face to face setting.
Each round was performed as an asynchronous study via E-Mail -which in contrary to a synchronous study with immediate replies (like an interview) -leaves the experts the time to reply to the questionnaires in their convenient time and location. Through to consideration of the experts limited time constraints, each round was designed for a possible completion under 30 minutes. In the spirit of the GDPR each expert was additionally given the option to consent to agreeing to have his name published with regards to this study.

Delphi round one
The first round of the Delphi study was send as a Microsoft-Word document. None of the participants had trouble using this format. To make sure the questionnaire is well perceived, extra care was taken to properly design this first round.
In Figure 11 the structure of the first document shows that participants firstly received information on the background of the study and its organizational questions (in FAQ form) in alignment to the key question of an information brochure, as Grisham (2008) calls it [79]. It included the option to participate via verbal communication, which was not taken by any participant. A self-assessment helped to identify the panelists' background in the next part, followed by knowledge material and the main definitions of the GDPR. The author purposefully did not include such material for the blockchain topic, for the following reasons: 1. The GDPR precisely defines its content, whereas blockchain is not yet clearly defined or standardized in a uniform way (see Chapter II). 2. The experts in the panel received a link to the same objective informational website, if they did not already have at least a basic understanding of blockchain [96]. 3. To further ensure that experts only replied within their own level of expertise, it was clearly stated in round one and two, that participants could choose to answer only the questions (and detail) of their comfort zone. In what area do you believe blockchain technology will have the most significant impact with regards to personal data?
H2: Data protection regulations will have a relevant impact on blockchains related to personal data. What relationship between blockchain and personal data regulation would you wish for in the future?
The questions were written based on the hypotheses from Chapter II. The first set of questions under 1 were asked from a specific point of view, to give the expert the chance to put an answer into perspective. Questions 1 to 1.4 consider the implications the GDPR has for blockchain, questions 1.5 and 1.6 review the other position by asking how blockchain can be of help for the GDPR and its authorities. Question 2 asks an open-ended question specifically about a future for the two topics.
The completion of this first round by 19 experts resulted in a list of 145 statements, grouped into the 8 questions above. All answers were transferred to a Microsoft Excel table, coded into indexes and broken down to fragments, that helped to add up statements with duplicated content. The indexes were used to rank these statements to see a first expert consensus through the number of duplicates. This left a list with 93 statements, forming the basis for the design of the second Delphi round.

Delphi round two
For the second Delphi round the list with 93 statements was taken and the statements were re-written and aggregated to 72 hypotheses (can contain formulated hypothesis and longer statements) categorized in limitations, opportunities and general hypotheses. A self-assessment section was left optional and only to be filled out by the participants that did not participate in round one.
The final list was rated and commented on by the 18 experts through a "Google Form" questionnaire within the categories shown in Figure 12, that are aligned to the initial 8 questions from round one. The experts were asked to select their level of agreement on a five-point Likert scale for each hypothesis [49]. Inspired by a design thinking mind-set and through to the challenge of the summarization task (it turned out to be a real challenge, that was only solved through this very systematic approach and the consideration of design thinking) many initial statements were left unchanged [119]. On the one hand, the author meant to avoid research bias and felt that the implied context could get lost, on the other it was intended that these made it harder to be answered with one level of agreement so that this would trigger the creative minds of the experts and inspire them to leave thoughtful comments. This intention led to critique from some experts in the feedback section but gathered insightful replies from others.
Additionally, for some hypotheses the experts were asked to rate its technical and legal feasibilities. This way the chance of technical implementation and the possibility to fit into legal structures could be separated from the value of the initial ideas. The experts were further encouraged to provide comments and arguments on their choices and on the hypotheses in general.

Delphi round three
Within the existing time constraints of the author, it was planned to conduct a third Delphi round in the form of a face to face workshop with a few participants to gather detailed feedback about the I. Blockchain I. Blockchains impact on personal data II.
Relevance of data protection regulations for blockchain applications using personal data III. Defining Personal Data IV. Storing personal data on the blockchain V.
Privacy by Design and blockchain

II. Personal Data Protection Regulations V.
Blockchains role for data protection regulation VI. Blockchain solving data protection problems VII. Recommendations and Expectations for blockchain and data protection frameworks and analysis resulting from round two. Unfortunately, due to the time constraints, this third round could not be conducted. It does, however, present a logical next step for further research.

Data Collection
In total 45 experts, according to the pragmatic definition, were contacted. 35 of these replied of whom 25 responded positively and the major reason for a negative response was time. 19 experts completed the first questionnaire and 18 the second with an average response rate of around 75%. For the Delphi method group size does not depend on the statistical power, but rather on the size with the highest chance on arriving at a consensus that covers the important issues [120]. For this reason, Ludwig (1997) had documented the "majority of Delphi studies have used between 15-20 respondents and run over periods of several weeks" [120]. This Delphi study lies well within these parameters. A summary of the self-assessment section in Table 6 shows the response rates and the time duration experts were given for their replies. Some experts only replied to the first round of the questionnaire, whereas others only to the second. It further shows the panels' professional background. To reduce bias towards one profession and gather as many diverse opinions as possible the following five professions have been identified:

a) Blockchain Vendor
Blockchain start-ups and venture capitalists that provide or invest in a software solution related to blockchain technology.

b) Consultant
Blockchain and legal consultants, including lawyers from law firms, independent contractors and employees of well-known consultancies (e.g., Big 4 Accounting Firms) [121].

c) Researcher
Researchers and journalists of either the topic of blockchain or privacy regulations from universities and private research institutes.

d) Client
Large enterprises working on implementing blockchain and privacy solutions.

e) Government Agency
Governmental authorities that are part of either creating or enforcing privacy policies and regulations. Table 7 confirms the previously mentioned study specific experience, measured in number of years and number of projects. It is concluded that participants within the data protection field have considerably more experience in their field, as blockchain is still a relatively new topic (see Chapter: Background and Literature Review). Experts in both fields seemed to have touched both topics along their careers. It is possible to conclude that the two topics are of interest to each other, as only five people in each field seem to have no experience in the other field. The discrepancy between number of years and projects on the left side shows that experts at some point had to at least educate themselves about the topic of blockchain (5 people have no "Years" experience, but 8 have no "Projects"). On the contrary, for personal data protection, it seems understandable that most experts touched the topic in some way or the other in a project related matter (5 people have no "Years" experience, but only 4 have not done a project). The next chapter will analyze the replies of the experts in more depth and propose a practical framework.

Chapter: Results
The collected data of the Delphi study will be evaluated in detail, and a recommendation for a framework using the data will be made. The results of the first round of the questionnaire were mainly used to create the second round. Therefore, this chapter will focus only on the 72 evaluated hypotheses (or statements) of the second round.

Analysis
This section will put the collected hypotheses (and statements) from the questionnaire into the perspective of the main research hypotheses of this thesis, by describing the ratings and consensus of the experts, while adding their given comments if applicable. Since the hypotheses are very diverse and multi-faceted, most are only described briefly. These results present a subjective view of the participants and might include bias of the author of this thesis. Consequently, they should not be regarded as facts. Table 8 shows the distribution of the categories from the second-round Delphi and its relation to the main research hypothesis, sorted into opportunities, limitations and general statements. Technical and legal feasibility show categories for which some hypotheses were additionally evaluated. In total, 72 hypotheses have been evaluated. As a result, 44 opportunities, 22 limitations, 6 general statements as well as 9 technical and 8 legal feasibilities were generated. Each section in the questionnaire included comment fields which helped where the experts could justify their ratings. The following sub-chapters will look at the results about each research hypothesis more in-depth. Table 9 to Table 17 contain the hypotheses that were used in the second research questionnaire and summarized the results obtained in that round. The following elements are used for the summary: • Statement number (#) included to be able to refer to the statement in the text; • Number of times a specific content was mentioned by experts in the round one (R1);  • Boxplot (Figure 13) -graphically plots the range of values from minimum to maximum, median, lower quartile (light grey) and upper quartile (dark grey) on the five-point Likert scale from -2 to 2, which can be found at the bottom of each table. The box plot represents only overall ratings and not the technical or legal feasibility ratings. For a quick comparison, a comparatively short box plot suggests higher consensus than a longer one. The first research hypothesis looked at the impact blockchains could have on personal data. It was executed in the questionnaire by listing the different fields it could affect, identified by the experts in round one. In total 20 fields have been identified, 18 of which considered opportunities (Table 9), and 2 limitations (Table 10).

Opportunities
Electronic identity (opportunity 1; ̅ = 1,3) and its possibly unified implementation (opportunity 2; ̅ = 1,3) will most likely be impacted by blockchain, as they have been mentioned by many experts in round one and also gotten the highest rating and a strong consensus, but "with respect to self-sovereign personal data, such a system would need to be incredibly easy to use, limit the number of decisions users are forced to make, and brings huge risks -lost keys, carelessness, inability to manage keys properly." (comment from an expert -will be used in this "formatting style" within this and the following parts of the Analysis section). The concept of self-sovereign identity was introduced in the context of blockchain by Christopher Allen (2016), who defined it as "individual control across any number of authorities" [122]. The identity layer is believed to be the core problem that needs to be solved to enable decentralized systems, including blockchains [122].
One promising impact building on the identity layer, could be better documentation of personal data processes (opportunity 3; ̅ = 1,3), which is often accompanied by contract relationships (opportunity 4; ̅ = 1,2), supply chain management (opportunity 5; ̅ = 1,1) and public filing cabinets (opportunity 6; ̅ = 1,1) -each with a relatively high consensus, among the experts' opinions. Blockchains are impacting these through efficiency gains and cost reduction, e.g. through smart contracts within supply chains that could use information from public filing cabinets automatically. Authorities could use the documentation of the data processes to enforce its legal services. This could even be imagined being done by some kind of AI [2].
Governmental services (opportunity 9; ̅ = 1,0) and electronic currencies with enforced identity checks (opportunity 10; ̅ = 0,9) were still seen as possible opportunities, but already received more divergent consensus. Blockchains impact on healthcare (opportunity 15; ̅ = 0,6) and science (opportunity 17; ̅ = 0,5) is seen much more controversial with low consensus and it remains unclear if these will be influenced. Some experts even fully disagreed with blockchain impacting any governmental services, healthcare or science and survey data. This is because all three manage data that is considered by the GDPR article 9 under special categories of personal data, including the processing of biometric and genetic data or data revealing political opinions, ethnic origin or philosophical and religious beliefs [51].
Relating to the rights of the individual's blockchain could potentially impact the enforcement of the requirements which set by the individuals (opportunity 13; ̅ = 0,8). This relates to the consent requirements proposed by the GDPR (Key definition and concepts from Chapter II).
Within the field of commercial usage of blockchain technology, entitlements (opportunity 7; ̅ = 1,1), insurance (opportunity 8; ̅ = 1,1), assertions (opportunity 12; ̅ = 0,8) and privacy enhancing business solutions (opportunity 11; ̅ = 0,9) were seen to be impacted with high consensus. Each of them is already impacted by disruptive companies, and practical blockchain use cases within these fields include P2P insurance, event ticketing and nearly untraceable cryptocurrencies [69]. The impact on marketing activities and advertisement surveillance (opportunity 18; ̅ = 0,4) has a relatively high dissent, probably as centralised companies, such as Google and Facebook are believed to keep controlling this marketat least in the near term.
On a technological level blockchain is supposed to remove data silos in organizations (opportunity 14; ̅ = 0,8), but not many experts fully agree to this standpoint, which could be because of missing technical knowledge. Another perspective states that blockchain will be the essential part for bridging the relationships between humans and technology (opportunity 16; ̅ = 0,5). The consensus for this hypothesis is relatively low since "Blockchain may be AN essential technology, but not THE essential technology. There will be a number of parallel technologies that work together to enable these things and it is unrealistic to say that one will be THE essential tech.". 4.1.2. H2: Data protection regulations will have an impact on blockchains related to personal data.
The second research hypothesis aims to find out if privacy regulations will be relevant for blockchain technology with regards to personal data. In total (Table 11), 13 fields have been identified including 5 opportunities, 6 limitations and 2 general statements.

Opportunities
Even though the hypothesis was just mentioned by one expert in round one, most participants agree with a high consensus that regulations should provide a minimum standard for user data security and data transparency (opportunity 21; ̅ = 1,6). Initiatives in that direction are taking by standardization organizations. It could be interesting to see a decentralized approach in these regards. The same applies for the increase of data security and protection (opportunity 23; ̅ = 1,0) through the requirement of PbD (opportunity 22; ̅ = 1,1). Blockchain as an identity solution is again mentioned with consensus, this time for the benefit to provide data portability (opportunity 24; ̅ = 0,9). The GDPR article 13 will require organizations to accept user requests that order to port the data from one to another service provider of their choice [51]. In this context, the use of blockchain for keeping a record of processing activities is proposed under the circumstance that data could be potentially deleted on a blockchainmore details on that topic will follow in a later part about the RTBF (opportunity 25; ̅ = 0,8).

Limitations
The highest agreement was surprisingly on a hypothesis only mentioned once in round one discussing the use of personal data for digital avatars -where people share many PII about themselves online (limitation 26; ̅ = 1,6). Blockchain could be highly relevant for that subject by creating transparency about the usage of this data. It was further agreed upon between the experts that any public blockchain would bring along many challenges that need to be solved (limitation 27; ̅ = 1,3) -saying blockchain technology could mean social disruption if privacy (limitation 28; ̅ = 1,2) would not be considered. This is underlined by a comment to "not put personal data "on" any blockchain. Metadata trawling can be defended." There is also a high consensus about policy makers currently being ignorant about the implications blockchains provide to society (limitation 29; ̅ = 1,6) which further confirms the necessity of this research and a more engaged dialogue between regulators and the blockchain ecosystems. The first step in that direction has been taken by the Blockchain4EU initiative which claims to be a forward looking sociotechnical exploration of existing, emerging and potential blockchain applications for industrial/nonfinancial sectors [123].
Even though many experts mentioned it in the first round, the RTBF that relates to the ability to combine transactional privacy and immutability (limitation 31; ̅ = 0,8) is seen with rather a low consensus to be considered an actual challenge (limitation 30; ̅ = 1,1). A reason could be the proposal to allow lost private keys to account for data being deleted. This will be reflected in more detail within H4 -General statements in this chapter.

General statements
Both statements were specifically intended to trigger comments by the experts. Hence the results of the ratings do not play a significant role here as the statements might have more than one argument in them.
However, the first statement summarizes the view on the relevance matter of the GDPR for blockchain by stressing the importance of the consideration of privacy in the EU (general 32). Most experts agreed on this statement, and many comments were given, one of them summarizes the content of those well: "Not sure how far the GDPR influences world-hosted networks without specific jurisdiction. So, having blockchain as a substrate to enforce GDPR won't work. It would work as a tool to help auditing the liability and data-privacy protocols on a per-company basis (those that are subjected to GDPR)." The second statement provides an even more extensive summary that goes from the argument of BCs core innovation seen as a decentralized trust model that cuts out all different kinds of middlemen (general 33). Some interesting comments argued that on the contrary BCs "innovation is the cutting out of middle persons. They will always have a role as matchmakers.". Additionally, the comment is made on blockchains need for maturity adaption, as it "will not provide all the answers from the beginning. It needs valuable applicability in business, ASAP. It needs measurable business cases. Otherwise its adoption will suffer.". 4.1.3. H3: Personal data cannot be stored on the blockchain directly, but indirectly.
The third research hypothesis explored the understanding of personal data and further the question how personal data could be stored on a (public) blockchain, if at all. It also introduces the evaluation of technical and legal feasibility. In total, 16 fields have been identified with 10 opportunities (Table 12), 5 limitations and 1 general statement (Table 13).

Opportunities
The first set of statements looked at the perception of personal data. A high rating and high consensus were given to its description as personally identifiable content, metadata and transactions (opportunity 34; ̅ = 1,1). The much lower consensus was found in defining it as reputational data (opportunity 36; ̅ = 0,7), but "If we decide to make reputational data public it will be important to have the source visible as well. However, we will have to be careful about vindictive behavior by people who were rated poorly." Within the same parameters as the previous hypothesis but with a little higher consensus, many experts agreed that a public key of a blockchain can be considered PII (opportunity 37; ̅ = 0,7). The hypothesis that the explanation depends on the content of a smart contract (opportunity 38; ̅ = 0,6) stays undecided. Many experts mentioned in round one that it should be defined according to the definition in the GDPR (opportunity 45; ̅ = 1,1), plus any information that can be considered personal based on every individuals' definition (opportunity 42; ̅ = 1,1). The pure definition taken from the GDPR is put into the limitation section since it leaves room for arguments. One argument against this kind of definition gave an example that could be considered when defining personal data: "Tarzana23 although a virtual identity (associated with reputation, etc.) is not personal data. A picture of a face is not (search Google images for "doppelganger"). An IP should not. A retina scan is. A fingerprint might be." One thing is clear though that from next year onwards the definition as in the GDPR will be the dominant legal ground concerning personal data of EU citizens (see Chapter II: Key definition and concepts).
The second set of statements focused more on a technical part and the possibilities to add support for privacy to blockchains. This has been identified as the level of identity (mixing keys), value transfer (zero knowledge proofs) and data payloads (opportunity 35; ̅ = 0,8) -through methods that were previously discussed in Chapter II about Existing privacy solutions. The suggested solution for data payloads includes encryption and read permissions as assets. These are usage permissions defined on an asset level with possible time limitations, similar to access control tokens [72], [124]. They would enable granular data sharing, based on a token that defines the access level of the granularity. Combined with smart contracts, this could provide a great use case for many application (e.g. IoT sensors, smart home, smart factory and others) [14], [48].
Overall these supposed technical solutions are seen controversially and have a rather uncertain outcome, including its technical feasibility. "As always, it's not much a matter of technology but of human preparedness to change." Surprisingly, the chance to use public key encryption to store and transfer data on the blockchain based on the users' preferences (opportunity 39; ̅ = 0,4) has meagre rating and weak consensus, even though its technical feasibility is rated high ( ̅ = 1,1). Another proposition with very similar parameters for its rating and technical feasibility is based on encryption techniques relating to obfuscation (e.g. the solutions Blockstream uses -mentioned as well in Chapter II) that would only store the reference on the blockchain that link to where the PII is stored -using tokenization and hardware components in control of the individual (opportunity 40 and 41; ̅ = 0,3 and ̅ = 0,2 ), [72], [124]. Some experts "tend to dislike solutions that are too hardware dependent on the user side, although with smart phones this is not an issue.", but also contradict themselves.
The statement that blockchain will never be accepted under the GDPR was rejected by a majority (limitation 48, ̅ = -0,2) even though it was mentioned 5 times in round one. It is to conclude that none of the above statements is seen to be legally feasible, probably because of the very nature of legal procedures relating to the GDPR -that will wait until a case goes to a court before any next action is taken [19]. However, "interpretation guidelines or amended legislation could make this clearer.".

General statements
The statement argues that individuals will be in full control of their PII and that exact mechanisms need to be in place to make this possible for the case a physical device is lost or a password forgot (general 49). The intent was to leave the ratings of general statements out of perspective, as this statement implicitly aimed to gather comments from the experts. But one interesting fact is that its legal feasibility was rated comparatively high ( ̅ = 0,7) and received positive comments: "Legally I see no issues. It is actually a solution adumbrated in the GDPR itself." Overall most comments mentioned the need for further improvement on the blockchain technology before this kind of solution could be provided partly with the help of blockchain: "A research and development on both technological and legal aspects must be undertaken before the proliferation of blockchain technologies, understood limitations, and possibly unleashed identification in the way that is feasibly to offer useful services." 4.1.4. H4: Blockchains can be designed in a privacy-friendly manner by using the approach of privacy by design.
The fourth research hypothesis investigates the requirement set by the GDPR of privacy by design and its relation to blockchain development. In total (Table 14) 9 fields have been identified with 3 opportunities, 4 limitations and 2 general statements.

Opportunities
One opportunity has been mentioned 13 times in round one and has an exceptional rating and high consensus. It states that blockchain can be compliant to PbD under the circumstance that it is not a sole solution, but rather part of a stack that intervenes with other technology to make up for its weaknesses (opportunity 50, ̅ = 1,6). To ensure the integrity of the data within such a solution, it is agreed that supportive, open standards should be developed (opportunity 51, ̅ = 1,4). Initiatives in that direction have only just started. Compliance to the GDPR only through the use hash values and public key cryptography is not seen to be guaranteeing PbD (opportunity 51, ̅ = -0,3).

Limitations
Relating to PbD, the biggest concern with high consensus is the recovery of secret information and private keys (limitation 53, ̅ = 0,9). Solutions could include social validations in the form of multiple signatures of spouses that help to recover such a key, included could as well be a governmental official [64].
A suggested partial solution for a public blockchain is de-indexing like Google's search engines, which received a low rating and high dissent (limitation 54, ̅ = 0,5). Personal data that can be found can always be subject to malicious behaviour.
Public blockchains' incompatibility to comply to PbD is left undecided, as opinions diverge strongly (limitation 55 and 56, ̅ = 0,3 and ̅ = 0,2). Some efforts described in Chapter II (Existing privacy solutions) are already considered to apply PbD principles, but most of them have not been tested long enough yet.

General statements
The same applies as in the previous "General statements" sections. The first general statement about copyright law and the challenge that "rarely governments and law makers can be as fast as technology" (general 57) unfortunately got many comments about the disability to understand its content fully. It should have been formulated more precise. Though one positive comment mentioned that "One can think of personal data as of Copyrighted data. I believe it can be managed with blockchain.".
The second statement refers to the challenge of immutability about the enforcement of the RTBF and the question if a lost private key in a blockchain can be stated as forgotten (also referred to as "burned" -also mentioned with low rating by opportunity 65, ̅ = 0,3). It further suggests particularly decentralised storage solutions and asks if those can be considered blockchains and if so how they would interact with a public BC (general 58). As expected, this statement did not get a high rating. Nevertheless, its technical feasibility referring to the connection of those storage solutions to a public blockchain gained a strong consensus on a medium high rating ( ̅ = 0,6). "Again, let us not forget the leeway the EUGH and other courts give private contracts and allow for balance of interests;"it remains an open question what interests are the ones that need to be balanced. This last research hypothesis looks at blockchains' role for data protection regulations and how it could solve data protection challenges. It also looks at the future relationship between the two topics. In total, 14 fields have been identified with a majority of 9 opportunities (Table 15 and Table 16 Since blockchains are public and immutable databases, they seem to violate privacy by design in the sense that they are "public by design". Can the internet be compatible with copyright? When technologies, systems and the law work together in a cohesive manner, blockchain can be compatible. However, the complexity of the challenge is immense. Knowing the far-reaching possibilities for blockchain technologies also compels governments to get ahead of the technology as quickly as possible.

58
In some situations, where RTBF is asked to be enforced, we will have to see if making that data unreadable and/or inaccessible complies to the law or not. (e.g. Private key has been thrown away, "burned" in a blockchain sense. Burning a key should = forgotten.)It depends if IPFS, Filecoin, Siacoin, etc. count as blockchain technology, and how often decentralised storage interacts with public chains. I struggle to see how we can have immutability and RTBF. These statements have been commented to be a "great use case" and two experts stated that it is "one use case we ourselves are looking into". Efforts to solve this problem are already being developed by for example the smart consent protocol, that aims to implement consent receipts, similar to traditional receipts that one would receive when buying a good in a supermarket [125].
The realization of such a solution could be provided through blockchain serving as a type of processing log that creates a single point of truth and uses smart contracts to regulate the processing permissions (opportunity 60, ̅ = 1,1) -"transparency, high auditability, and easy access to data are very powerful features. Having near certain proof that data has not been tampered with is of paramount important. even more so if the proof comes from an independent third party, that cannot be corrupted... knowing that that data is correct not because the government says so, but because it's mathematically provable, is a great feature.".
Experts agreed that blockchain enables a change of the dynamics of data ownership and aligns with the goal that the GDPR aims to achieve (opportunity 61, ̅ = 0,9). This could happen by providing an identity for each EU citizen that is kept in full control of that individual (opportunity 62, ̅ = 0,8). This could be done through giving regulators a scalable private network, that interacts with a public network for transparency purposes -its implementation is not seen as technically realistic in the near term (opportunity 63, ̅ = 0,6). To conclude this statement: "governments in Europe might be trustworthy to have a private network as a service; however even in Germany in general everything is federated already; this should be standard if trust is involved; smaller states could federate with other states, EU partner states, etc.". The next opportunity proposes that regulators shall start at the protocol level, which stayed in an open state (opportunity 64, ̅ = 0,4). Among these are identity, taxation, property and others. If regulators would start to fulfil those tasks based on a blockchain infrastructure, blockchain protocols could become more attractive (opportunity 66, ̅ = 0,2). Following this, there are two opposing perspectives from the experts. One expert mentions that: "from the regulator point of view there are already some examples of technology / regulatory interoperability, for example digital signatures are handled this way, where a regulation like eIDAS defines various levels, what legal value they have, and give technical guidelines through standards." Another expert openly opposed by commenting that "Regulators will never approve protocols. They don't typically issue pre-emptive approvals of things. It's about how the protocol is used, not what the protocol is. So, for evidence, they will define a certain standard of certainty that needs to be met and then it will be up to you to demonstrate that you've met that standard. Eventually norms will develop but they will not be defined by regulators." The statement -that the conformity of blockchain and the GDPR is not a technology issue, but rather a lawmaker issue stays undecided with low consensus and high divergence between agreement, but its legal feasibility is rated positively with strong consensus ( ̅ = 0,7).
A very similar approach is taken by one limitation. It states that regulators should provide the correct legal framework and use the new technology to enforce their law also on a digital level (limitation 69, ̅ = 0,8). This statement received a comparably high score in this section with average consensus and was mentioned by many in the first Delphi round.

Limitations
This first limitation is directly quoted from the questionnaire. All blockchain developers should be conscious of human rights, data protection and privacy as well as the need to consider how technology generally can protect the privacy of the individual without impeding technological progress (limitation 68, ̅ = 1,5). It received a very high rating and relatively high consensus, even though it could limit the innovation of blockchain to some extent.
Since blockchains propose new trust in technology and enforces transparency with immutability, one fear is that it could become another surveillance machine (limitation 70, ̅ =0,6) however, this statement has not been rated strongly. General statements The first statement summarizes general issues such as machine identity, self-sovereign identity of citizens, secure data exchanges of any kind, product fraud, disabling fake products, securing any IoT networks, establishing standards for necessary digital governance and policy issues. It mentions that in a world where more and more human mandates get delegated to non-human entities like machines, algorithms and protocols -non-human entities become equal stakeholders in all society related processes. It concludes that Blockchain technology will enable this emerging society of "humans and things" (general 71). Many comments followed this statement. One expert agrees: "Blockchain to me is a tool which can be used for human and things and for enabling the machine of things equally. The "I believe there is a long-term need for self-sovereign identity, but in the short-term in order to avoid AIbased corporate manipulation and public control. The majority of individuals will never take full responsibility for their own data and identity. The state has reasonably successfully played this role for hundreds of years. I think blockchains and crypto-based decentralization enable more localization, but I don't think it necessarily needs to extend all the way to the individual. There could be a role for cooperative movements or trusted social organizations to manage data and identity for its members. Similar to the labor movements of the late 20th century." The viewpoint of the data protection lawyer with specific expertise on the GDPR, Jan Philipp Albrecht: "Blockchain can help and can be used to be technically compliant with GDPR which is technology neutral." The first statement draws a comparison to history and proposes a community-based approach towards self-sovereign identity solutions, whereas the second one stresses the technical neutrality of the GDPR. The joined outcome is that both topics should work together to benefit and not hinder each other in the future.
The next sub-chapters will propose suggestions to make the technology compliant with the GDPR, as it is supposed to be possible and necessary under within the current systems of power.

Interim Summary
This section concludes the analysis by summarising the most relevant results from the Delphi study about the research hypotheses. For this purpose, the highest rated statements of each main research hypothesis were collected and summarised in the following Table 18. • Electronic identity for which consumers create a separate identity for every digital service they are using, to which they can grant granular access rights for specific services (interoperability). • Blockchains help to improve documentation of personal data processes. H2: Data protection regulations will have an impact on blockchains related to personal data.
• There should be minimum standards for security and the ability for users to manage consent.
• Particular care towards personal data should be considered when dealing with digital avatars. H3: Personal data cannot be stored on the blockchain directly, but indirectly.
• With regards to blockchains personal data is considered personally identifiable content, metadata and transactions. H4: Blockchains can be designed in a privacy-friendly manner by using the approach of privacy by design.
• In terms of privacy by design blockchains could be compliant but should not do it alone. • Basic design principles need to be established by open standards to ensure that blockchains maintain personal data integrity. H5: Blockchains can help to solve (privacy) challenges accompanying the implementation of the new GDPR.
• All blockchain designers should be conscious of human rights, data protection and privacy as well as the need to consider how technology generally can protect the privacy of the individual without impeding technological progress.

Statistical analysis
The Delphi study conducted in this thesis is more of qualitative and descriptive nature and not very useful for a more in-depth quantitative analysis. This is mainly because of the intention of this study, the complex topic and time-constraints that only enabled two Delphi rounds. Other Delphi studies used statistical analysis to compare multiple rating rounds, evaluate ranked replies or forecasted numbers (e.g. stock prices) [31], [33]. Further research should use the results of this study for a quantitative survey.
The only test that has been applied to the set of means of the opportunities and limitations is Duncan's multiple range test (MRT) [115], [126]. The results in Table 19 were calculated with a significance level of p < 0,05 and show a strong overlap of means between all hypotheses, which means that these have rather insignificantly different ratings. Based on the knowledge obtained from the Delphi study and the literature review, this section proposes a framework that can be used in practice to increase the probability for blockchain developed applications and solutions to comply to the GDPR. It outlines the framework only to a high-level degree, as it is not within the scope of this thesis to provide a detailed solution. The framework proposes a privacy impact assessment (PIA) for blockchains, which aims to prepare researchers and developers to consider the right questions to design their solutions and software architecture in a privacy-friendly manner.
A privacy impact assessment is a specific process mandated by the GDPR, which calls it data protection impact assessment (DPIA) -for any practical purposes PIA and DPIA are considered the same thing [51]. This process helps organizations to identify and minimize privacy risks and is usually conducted in developing and implementing new processes, projects, policies and systems. It is considered also to help organizations to improve the previously named benefits, to secure relationships with users, customers and stakeholders [19]. Recital 85 of the GDPR, describes its purpose in the following context: In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
In Article 35 the GDPR further sets out that a DPIA must contain at a minimum [20], [51], [127]: • A description of processing activities and purposes; • legitimate interests pursued by the controller; • an assessment of the necessity and proportionality of the processing; • an assessment of the risks to the rights and freedom of the data subjects; • the correct measures to address those risks; • all safeguards and security actions to demonstrate compliance; • an indication of timeframes if processing relates to erasure; • evidence of any data protection by design and default measures; • a list of recipients of personal data; • confirmation of compliance with approved codes of conduct; and • details of whether data subjects have been consulted to prove consent.
Before the GDPR, PIAs were considered best practice by regulators, including the Information Commissioner Office (ICO) -a UK independent authority that is set up to uphold information rights in the public interest, while promoting openness of public bodies and data privacy for individuals [128]. Figure 14 proposes seven steps of guidance from the ICO for a PIA, which will likely uphold to the new requirements of the GDPR (there has not been any detailed source of how a DPIA should look like). Figure 14: Specific steps of the PIA process (own presentation) adapted from ICO's guidance [129] The framework for the blockchain privacy impact assessment was created in a canvas style overview (known from the "business model canvas") [130]. Each step draws a reference to the PIAs' implications for blockchain technology while presenting the information to conduct the bPIA in an aggregated view that fits on one page. Each point is looked at in a little more detail in the following sections. The first paragraphs show the wording from the actual canvas, whereas the second paragraphs add additional insights.
(1) Identify the need for a PIA with regards to personal data (PD) 1. According to applicable law: a) high risk to rights and freedom of an individual b) automated processing or profiling c) systematic monitoring or effect (of a publicly accessible area) on a large scale. 2. Organisation s own risk assessment requirements, e.g. expensive data processing, highly sensitive data, strategic business decisions based on data.
1. Private and public blockchains generally fall under the need for a PIA, specifically since private and public keys are most likely always regarded personal data to begin with. 2. Since blockchain applications often are used to increase trust, meaning increased securitywhich makes a PIA essential to every blockchain use case.
From the information gathered in the previous sections, the conclusion can be drawn that blockchain will most likely always require a PIA, be it for legal or business reasons. For the technology to succeed Identify the need for a PIA Describe the information flows Identify the privacy and related risks Identify and evaluate the privacy solutions Sign off and record the PIA outcomes Integrate outcomes into a project plan Consult with internal and external stakeholders as needed throughout the process The RTP evaluates the impact, likelihood and response to potential vulnerabilities while identifying its owners and actions that need to be documented to develop best practices and better governance models for existing blockchain solutions [83], [133].

(4) Identify and evaluate the privacy solutions
Adding to the RTPs evaluation of risks, their likelihood, impact and action plan an outline of the operational requirements should be drawn to translate risks regarding decisions into reality.
It is recommended to link blockchain solutions to Privacy by Design strategies and tactics proposed by Colesky and Hoepman: The evaluations of privacy solutions should be accompanied by considering PbD strategies, Implications of the GDPR for blockchain and Existing privacy solutions as outlined in Chapter II. The strategies can be put in further detail by using other recommended frameworks of the Colesky and Hoepman, like the privacy design strategy framework shown in Figure 16. Additional information on both frameworks can be found in its original source, as they are mostly self-explanatory. For blockchain solutions this report could partly be made public or reproduced for anyone using blockchain, so that eventually every data controller that is part of the blockchain complies to the GDPR, this could even be on protocol level.
Blockchain solutions can strongly increase their likelihood to comply to the GDPR if they can provide a well-documented PIA, therefore it is important to take extra care when preparing the bPIA report. In case that public blockchain nodes and miners are to be considered joint data controllers, the benefits of having a valid and reproducible bPIA that could be integrated part of the blockchain would be tremendous.
(6) Integrate outcomes into a project plan All decisions are now translated into defined actions to make sure they are correctly and effectively mitigated. This step should also account for an implementation plan that sets up identified processing functions. This should include periodic reviews and observation of the RTP.
For blockchain solutions this would mean to put concrete technical work into the actual product roadmaps, including deadlines and dependencies, while considering maintenance measures. For a public blockchain this could include reviews by the blockchain community themselves to increase the likelihood of compliance and probabilities to be prepared for legal cases that blockchain use cases could face in the future.
Since blockchain research and applications are at an early stage, it is still highly possible to implement PbD measures. This would improve the solutions to make them future prove and compatible for mass adaption [85], [87].
(7) Consult with internal and external stakeholders as needed throughout the process Along the process of the PIA one should consult all internal stakeholders and potentially also find an internal and/or external devil's advocate that properly examines the outcome from the view of a data subject. For best practice, this should include the consultation of a legal or data protection and privacy expert.
For blockchains this could be anyone from the community, a user, customer or external consultant. One suggestion could be to publicly review the PIA, just like Smart Contracts or other code is, today.
Since blockchain majorly plays a role in the digital world, it is still subject to hacks and money is stolen by criminals. To prevent this, the blockchain developer ecosystem uses systematic code reviews on a global basis [135]. Similar reviews could be used not only for such code, but potentially for PIA actions as well. Further recommendations are summarized in the next section.

Practical Recommendations
Based on the Delphi study and the review of the literature a brief list of practical recommendations has been prepared to provide practitioners with guidance on what steps are necessary to make blockchains more privacy-friendly. These recommendations are summarized in Table 20. • Encryption will help to increase privacy of blockchains, but will never be sufficient on its own • Hashing could be a valid solution to store PII on the blockchain Mutual Impact • Do not underestimate privacy regulations like the GDPR, nor other regulations when developing blockchain solutions • An increase in popularity could make authorities aware of blockchain technology rather earlier than later • Do not overestimate blockchain solutions to be solving problems by itself, it is at an early stage and should be combined with existing standards and software solutions • A scalable blockchain is mandatory to provide any kind of feasible solution ready for broad adaption Political • Deepen the existing efforts with regulatory and governmental bodies to provide clearer mutual understanding of blockchain and the GDPR • Create EU-wide lobbying efforts in order to solve blockchains challenges (e.g. the RTBF = burned keys) on an EU wide level within existing legal frameworks the EU has to offer Social • Education about privacy and blockchain for the blockchain ecosystem on the one hand and individuals across all impacted fields on the other hand • Create certification programs for blockchain privacy impact assessment

Chapter: Conclusion
"Friends don't spy; true friendship is about privacy, too." The intention of this quote by Stephen King can be applied to the mutual relationship of blockchain and the GDPR that should represent a form of friendship [136].

Résumé
The motivation of this thesis was based on the (partly personal) realization that current systems of power demand a change in technology and the perception of human rights in a more and more digitized global world. Privacy protection received a proposed solution through the means of the GDPR, whereas the technology that connects individuals received a solution called blockchain. For a widespread innovation like blockchain to be realizable within the domains of current social and legal frameworks, it is necessary to start researching to evaluate how both topics interrelate and influence each other. This thesis is the first to provide an in-depth view into blockchain and the GDPR, by investigating the research objective of: Developing theoretical frameworks and practical recommendations to improve the mutual relationships between blockchain and GDPR.
The key research questions about the interrelationships between blockchain and GDPR is composed into sub-questions that look at it from the perspective of a blockchain expert on the one hand and a regulatory authority (including data protection experts) on the contrary.
The blockchain expert can now conclude that the GDPR will have a significant impact on the development of blockchain technology, mainly because most blockchain solutions use public key cryptography. For now, every private or public key can be considered personal data. The regulation will, therefore, require blockchains to consider a privacy impact assessment and the principles of privacy by design (H3: Personal data cannot be stored on the blockchain directly, but indirectly.). A privacy impact assessment framework for blockchains is proposed to help understand these requirements and enable compliance to the GDPR. The thesis further finds that blockchains can be used to enhance GDPR compliance by using its "immutability"-characteristic to store data processing information in the form of metadata on the blockchain by creating a single source of trough about all personal data related processing (Opportunity 3 in H1: Blockchains have an impact on personal data.). Additionally, blockchain is considered a leading part in identity related software solutions, using its advanced cryptographic and decentralized capabilities (see chapter II: Existing privacy solutions).
From a regulatory perspective, blockchain is still perceived as a technological infant, but its potential impact on policies and politics is already understood and taken seriously. Regulators are asked to extend their dialogue with the blockchain ecosystem to create the right environment for the innovation of blockchain to unfold. An urgent need is an effort towards the implementation of open standards and certifications that are approved by the European Union. The question remains unanswered how this can be done without hindering the innovation of blockchain, but an active dialogue depicts the correct first step. A privacy-friendly blockchain has been demanded by the European data protection supervisory authority that is developed along the principles of privacy by design (see Chapter II -Implications of the GDPR for blockchain). The demand can be fulfilled only by both sides (blockchain developers and regulators) working together. The experts in this study consider it very likely that blockchain technology will be in alignment with these design principles. Eventually blockchains could be part of EU wide administrative software architecture by combining public blockchains with private blockchains used by regulatory bodies (see Chapter IV-H5: Blockchains can help to solve (privacy) challenges accompanying the implementation of the new GDPR.).
The Delphi method, known from policy and IT research for its ability to aggregate expert opinions on a complex topic, was chosen to provide the research with data from a variety of industry and policy experts that helped to form a valid picture of these relationships [104].
The topicality of both topics demanded an extensive review of literature across diverse scientific and non-scientific sources to get an idea of the background of blockchain and the GDPR. After providing background on the most important changes and legal definitions of the GDPR, the implications of blockchain technology provide a first overview of the challenges and changes it is facing. The right to be forgotten and considerations of privacy by design principles are the most prominent challenges for blockchain development, whereas opportunities to improve privacy through improved accountability by immutable process monitoring are often not considered at first glance.
An attempt is taken to review a definition of blockchain technology from multiple perspectives. In brief, a blockchain is hence defined as a distributed database that is practically immutable by being maintained through a decentralized P2P network that uses consensus mechanisms, cryptography and back-referencing blocks to order and validate transactions that represent real digitized values.
Following a more in-depth review of what a blockchain is from a technical perspective and which concepts belong to it (e.g., smart contracts, mining, etc.), existing cryptographic solutions to enhance privacy within blockchains have been accumulated. The usage of zero knowledge proofs, the most prominent solution, enables validation of personal information through providing a binary output. The output shows if that personal information approves to a set of predefined rules. One example is the proof of age of a driving license that would not require an actual age anymore, but rather (only) a "Yes" or "No" if the individual is allowed to drive or not. The actual age remains a private information.
The second chapter about the background and definitions of both topics was closed with a set of hypotheses that reflected the research questions and objectives established in the introduction. These main research hypotheses were further used to lay the groundwork of the Delphi method, which is described in the third chapter. The main advantage of the Delphi method for this study was the incapability of the research problem, not lending itself to precise analytical techniques, but highly benefiting from subjective judgments on a collective basis.
A two round Delphi study with consecutive questionnaires was conducted with a total of 25 participants. The first one collected data according to semi-structured and open-ended questions that reflected on the main research hypotheses. The second questionnaire aggregated the replies of the first questionnaire to form statements and hypotheses that were rated (on) by experts in round two. A third round was planned, but due to time constraints not conducted. It, therefore, provides an opportunity to follow up with the third round to further research the topic.
An analysis of 72 statements, rated in round two, followed in fourth chapter. A summary of the statements was used to propose a blockchain privacy impact assessment canvas that could be operationally used along with a list of practical recommendations. The primary outcome is the realization that most probably every blockchain solution will have to comply with the strict requirements set by the GDPR. It was suggested to achieve this by developing open standards and protocols that can be used by every developer in the blockchain community. The principal use case for privacy and blockchain is the management of identities that aims to return ownership of personal data to the individual, which perfectly aligns to the core intention of the GDPR to return the freedom of privacy as a human right to EU citizens.

Limitations and need for further research
Although the research has reached its goal, there are some precautionary measures relating to the risks of a Delphi study mentioned in Chapter III. Each risk will be reflected, and a recommendation for further research will be drawn from it.
First, there could be a bias created by over specifying the structure of the first Delphi round that might have led to the loss of some (possibly valuable) expert opinions The method can be justified by the limited scope of this thesis, but certainly, other questions exist that require further research. Specific solutions (e.g. for a self-sovereign identity) should be identified and reviewed about their technical, social and legal implications.
Secondly, the assumption that a Delphi study can be a surrogate for other human communication leads to the digitally written style that was applied in this study. Some understanding and context can easily be lost that way. For this, the third optional Delphi round was proposed to take the form of a personal workshop with some of the participants. This will be the most recommended near-term goal for further research.
Thirdly, summarizing and presenting the questionnaire response from round one turned out to be a major challenge -partly because of the amount of information gathered and because of the wording and context used by the participants. This challenge is described in the third chapter, and a creative approach was used to (help) solve it.
For further research, it is recommended to take apart the hypotheses and statements gathered in this thesis to more detail. Those hypotheses could then be used for other forms of quantitative survey techniques, for example, rankings or concrete predictions of information.
Fourthly, not exploring disagreement or agreement in a third Delphi round, could have led to somehow artificial consensus. This point is addressed in the third chapter as well by stating that for this study the primary intent was to create an understanding of the complex topic that is still perceived differently by most experts.
Further research should divide this complex topic and focus on specific subjects and a review of either technical or legal solution.
Lastly, the choice of experts might have led to a selection bias of external validity influenced by the subjective decisions made during the selection process. The diverse opinions of different experts resulted in a truly sophisticated panel that provides valid and valuable research results.
Further research should focus on detailed technical solutions that provide blockchain architectures which follow privacy by design principles. Data mapping and new business processes for blockchain solutions should be included to extend the drive of detailed work on the bPIA canvas.
A proposition should also be made for how the privacy impact assessment can be implemented to public blockchains under consideration of existing legal and governance frameworks. The result of such an implementation should compare the blockchain ecosystem to economic, political and social factors.
For both academics and practitioners, it is important to keep this changing nature of regulations and technology in mind when conducting research, implementing policies or developing blockchain solutions. The framework needs to be developed further by putting it into action and learning from its outcomes.