{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,8]],"date-time":"2026-06-08T11:10:57Z","timestamp":1780917057306,"version":"3.54.1"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"7","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. VLDB Endow."],"published-print":{"date-parts":[[2020,3]]},"abstract":"<jats:p>The General Data Protection Regulation (GDPR) provides new rights and protections to European people concerning their personal data. We analyze GDPR from a systems perspective, translating its legal articles into a set of capabilities and characteristics that compliant systems must support. Our analysis reveals the phenomenon of metadata explosion, wherein large quantities of metadata needs to be stored along with the personal data to satisfy the GDPR requirements. Our analysis also helps us identify new workloads that must be supported under GDPR. We design and implement an open-source benchmark called GDPRbench that consists of workloads and metrics needed to understand and assess personal-data processing database systems. To gauge the readiness of modern database systems for GDPR, we follow best practices and developer recommendations to modify Redis, PostgreSQL, and a commercial database system to be GDPR compliant. Our experiments demonstrate that the resulting GDPR-compliant systems achieve poor performance on GPDR workloads, and that performance scales poorly as the volume of personal data increases. We discuss the real-world implications of these .ndings, and identify research challenges towards making GDPR-compliance efficient in production environments. We release all of our so.ware artifacts and datasets at h.p:\/\/www:gdprbench:org<\/jats:p>","DOI":"10.14778\/3384345.3384354","type":"journal-article","created":{"date-parts":[[2020,3,26]],"date-time":"2020-03-26T14:21:06Z","timestamp":1585232466000},"page":"1064-1077","source":"Crossref","is-referenced-by-count":41,"title":["Understanding and benchmarking the impact of GDPR on database systems"],"prefix":"10.14778","volume":"13","author":[{"given":"Supreeth","family":"Shastri","sequence":"first","affiliation":[{"name":"UT Austin"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Vinay","family":"Banakar","sequence":"additional","affiliation":[{"name":"Hewlett Packard Enterprise"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Melissa","family":"Wasserman","sequence":"additional","affiliation":[{"name":"UT Austin, School of Law"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Arun","family":"Kumar","sequence":"additional","affiliation":[{"name":"University of California, San Diego"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Vijay","family":"Chidambaram","sequence":"additional","affiliation":[{"name":"UT Austin and VMware Research"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2020,3,26]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Family Educational Rights and Privacy Act. Title 20 of the United States Code Section 1232g Aug 21 1974.  Family Educational Rights and Privacy Act. Title 20 of the United States Code Section 1232g Aug 21 1974."},{"key":"e_1_2_1_2_1","volume-title":"Health Insurance Portability and Accountability Act. 104th United States Congress Public Law 191","author":"The","year":"1996"},{"issue":"1","key":"e_1_2_1_3_1","first-page":"2016","article-title":"\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46","volume":"59","author":"Regulation","year":"2016","journal-title":"Official Journal of the European Union"},{"key":"e_1_2_1_4_1","volume-title":"Microsoft","author":"Enhancing Privacy Guide","year":"2017"},{"key":"e_1_2_1_5_1","unstructured":"California Consumer Privacy Act. California Civil Code Section 1798.100 Jun 28 2018.  California Consumer Privacy Act. California Civil Code Section 1798.100 Jun 28 2018."},{"key":"e_1_2_1_6_1","unstructured":"Data Deletion on Google Cloud Platform. https:\/\/cloud.google.com\/security\/deletion\/ Sep 2018.  Data Deletion on Google Cloud Platform. https:\/\/cloud.google.com\/security\/deletion\/ Sep 2018."},{"key":"e_1_2_1_7_1","volume-title":"Google Inc.","author":"Google","year":"2018"},{"key":"e_1_2_1_8_1","unstructured":"Amazon Macie. https:\/\/aws.amazon.com\/macie\/ Accessed Jan 31 2019.  Amazon Macie. https:\/\/aws.amazon.com\/macie\/ Accessed Jan 31 2019."},{"key":"e_1_2_1_9_1","unstructured":"AWS Service Capabilities for Privacy Considerations. https:\/\/aws.amazon.com\/compliance\/data-privacy\/service-capabilities\/ Accessed Mar 31 2019.  AWS Service Capabilities for Privacy Considerations. https:\/\/aws.amazon.com\/compliance\/data-privacy\/service-capabilities\/ Accessed Mar 31 2019."},{"key":"e_1_2_1_10_1","unstructured":"Cryptsetup and LUKS - open-source disk encryption. https:\/\/gitlab.com\/cryptsetup\/cryptsetup Accessed Jan 2019.  Cryptsetup and LUKS - open-source disk encryption. https:\/\/gitlab.com\/cryptsetup\/cryptsetup Accessed Jan 2019."},{"key":"e_1_2_1_11_1","first-page":"2019","article-title":"Technical report, International Association of Privacy Professionals","volume":"31","author":"Annual Privacy Governance Report IAPP-EY","year":"2018","journal-title":"Accessed Mar"},{"key":"e_1_2_1_12_1","unstructured":"PostgreSQL: The World's Most Advanced Open Source Relational Database. https:\/\/www.postgresql.org\/ Accessed Mar 31 2019.  PostgreSQL: The World's Most Advanced Open Source Relational Database. https:\/\/www.postgresql.org\/ Accessed Mar 31 2019."},{"key":"e_1_2_1_13_1","unstructured":"Redis Data Store. https:\/\/redis.io Accessed Jan 2019.  Redis Data Store. https:\/\/redis.io Accessed Jan 2019."},{"key":"e_1_2_1_14_1","unstructured":"Stunnel. https:\/\/www.stunnel.org Accessed Jan 2019.  Stunnel. https:\/\/www.stunnel.org Accessed Jan 2019."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-58387-6_2"},{"key":"e_1_2_1_16_1","volume-title":"Financial Times. https:\/\/www.ft.com\/content\/56ec37c8-39c0-11e9-9988-28303f70fcff","author":"Ben-Avie J.","year":"2019"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354208"},{"key":"e_1_2_1_18_1","volume-title":"EDPB News. https:\/\/edpb.europa.eu\/news\/news\/2019\/1-year-gdpr-taking-stock_en","author":"Board E. D. P.","year":"2019"},{"key":"e_1_2_1_19_1","unstructured":"B. Casey A. Farhangi and R. Vogl. Rethinking Explainable Machines: The GDPR's Right to Explanation Debate and the Rise of Algorithmic Audits in Enterprise. Berkeley Technology Law Journal 34--143 2019.  B. Casey A. Farhangi and R. Vogl. Rethinking Explainable Machines: The GDPR's Right to Explanation Debate and the Rise of Algorithmic Audits in Enterprise. Berkeley Technology Law Journal 34--143 2019."},{"key":"e_1_2_1_20_1","unstructured":"B. Cihan. Securing Redis with Redis Enterprise for Compliance Requirements In Redis Labs Blog. https:\/\/redislabs.com\/blog\/securing-redis-with-redisenterprise- for-compliance-requirements\/ Jan 10 2018.  B. Cihan. Securing Redis with Redis Enterprise for Compliance Requirements In Redis Labs Blog. https:\/\/redislabs.com\/blog\/securing-redis-with-redisenterprise- for-compliance-requirements\/ Jan 10 2018."},{"key":"e_1_2_1_21_1","volume-title":"Gizmodo. https:\/\/gizmodo.com\/how-to-download-your-data-with-all-the-fancy-new-gdpr-t-1826334079","author":"Conger K.","year":"2018"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1807128.1807152"},{"key":"e_1_2_1_23_1","volume-title":"Digiday. https:\/\/digiday.com\/media\/gdpr-mayhem-programmatic-ad-buying-plummets-europe\/","author":"Davies J.","year":"2018"},{"key":"e_1_2_1_24_1","volume-title":"Digiday. https:\/\/digiday.com\/media\/new-york-times-gdpr-cut-off-ad-exchanges-europe-ad-revenue\/","author":"Davies J.","year":"2019"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00287-019-01201-1"},{"key":"e_1_2_1_26_1","volume-title":"Organizations Are Unprepared for the 2018 European Data Protection Regulation. In Gartner","author":"Forni A. A.","year":"2017"},{"key":"e_1_2_1_27_1","doi-asserted-by":"crossref","unstructured":"B. Goodman and S. Flaxman. European Union Regulations on Algorithmic Decision-Making and a Right to Explanation. AAAI AI Magazine 38(3) 2017.  B. Goodman and S. Flaxman. European Union Regulations on Algorithmic Decision-Making and a Right to Explanation. AAAI AI Magazine 38(3) 2017.","DOI":"10.1609\/aimag.v38i3.2741"},{"key":"e_1_2_1_28_1","doi-asserted-by":"crossref","unstructured":"S. Greengard. Weighing the Impact of GDPR. Communications of the ACM 61(11):16--18 2018.  S. Greengard. Weighing the Impact of GDPR. Communications of the ACM 61(11):16--18 2018.","DOI":"10.1145\/3276744"},{"key":"e_1_2_1_29_1","volume-title":"Formal Modeling and Analysis of Data Protection for GDPR Compliance of IoT Healthcare Systems. In IEEE International Conference on Systems, Man, and Cybernetics (SMC)","author":"Kammueller F.","year":"2018"},{"key":"e_1_2_1_30_1","series-title":"Chapman and Hall\/CRC Computational Science","volume-title":"Contemporary High Performance Computing: From Petascale toward Exascale","author":"Keahey K.","year":"2018"},{"key":"e_1_2_1_31_1","unstructured":"M. Keep. GDPR: Impact to Your Data Management Landscape In MongoDB Blog. https:\/\/www.mongodb.com\/blog\/post\/gdpr-impact-to-your-data-management-landscape-part-1 Aug 29 2017.  M. Keep. GDPR: Impact to Your Data Management Landscape In MongoDB Blog. https:\/\/www.mongodb.com\/blog\/post\/gdpr-impact-to-your-data-management-landscape-part-1 Aug 29 2017."},{"key":"e_1_2_1_32_1","volume-title":"Poly'19 co-located at VLDB","author":"Kraska T.","year":"2019"},{"key":"e_1_2_1_33_1","unstructured":"S. Loiselle. What does GDPR compliance mean for my database? In Cockroach Labs Blog. https:\/\/www.cockroachlabs.com\/blog\/gdpr-compliance-for-my-database\/ July 10 2018.  S. Loiselle. What does GDPR compliance mean for my database? In Cockroach Labs Blog. https:\/\/www.cockroachlabs.com\/blog\/gdpr-compliance-for-my-database\/ July 10 2018."},{"key":"e_1_2_1_34_1","unstructured":"I. Lunden. UK's ICO fines British Airways a record 183M over GDPR breach that leaked data from 500000 users In TechCrunch. https:\/\/techcrunch.com\/2019\/07\/08\/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users\/ July 8th 2019.  I. Lunden. UK's ICO fines British Airways a record 183M over GDPR breach that leaked data from 500000 users In TechCrunch. https:\/\/techcrunch.com\/2019\/07\/08\/uks-ico-fines-british-airways-a-record-183m-over-gdpr-breach-that-leaked-data-from-500000-users\/ July 8th 2019."},{"key":"e_1_2_1_35_1","volume-title":"Poly'19 co-located at VLDB","author":"Mohan J.","year":"2019"},{"key":"e_1_2_1_36_1","volume-title":"Oracle","author":"Rajasekharan D.","year":"2017"},{"key":"e_1_2_1_37_1","volume-title":"Microsoft 365 Blog","author":"Rayani A.","year":"2018"},{"key":"e_1_2_1_38_1","unstructured":"A. Satariano. Google is fined $57 Million Under Europe's Data Privacy Law. In the New York Times. https:\/\/www.nytimes.com\/2019\/01\/21\/technology\/google-europe-gdpr-fine.html January 21st 2019.  A. Satariano. Google is fined $57 Million Under Europe's Data Privacy Law. In the New York Times. https:\/\/www.nytimes.com\/2019\/01\/21\/technology\/google-europe-gdpr-fine.html January 21st 2019."},{"key":"e_1_2_1_39_1","volume-title":"Poly'19 co-located at VLDB","author":"Schwarzkopf M.","year":"2019"},{"key":"e_1_2_1_40_1","volume-title":"USENIX HotStorage","author":"Shah A.","year":"2019"},{"key":"e_1_2_1_41_1","volume-title":"USENIX HotCloud","author":"Shastri S.","year":"2019"},{"key":"e_1_2_1_42_1","volume-title":"Marketing Dive. https:\/\/www.marketingdive.com\/news\/study-many-publishers-eu-sites-are-faster-and-ad-free-under-gdpr\/524844\/","author":"Sweeney E.","year":"2018"},{"key":"e_1_2_1_43_1","volume-title":"Computer Business Review. https:\/\/www.cbronline.com\/news\/global-data-breaches-2018","author":"Targett E.","year":"2018"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3184558.3186969"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354212"},{"key":"e_1_2_1_46_1","volume-title":"International Data Privacy Law, 7(2)","author":"Wachter S.","year":"2017"},{"key":"e_1_2_1_47_1","doi-asserted-by":"crossref","unstructured":"S. Wachter B. Mittelstadt and C. Russell. Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPR. Harvard Journal of Law & Technology 31--841 2017.  S. Wachter B. Mittelstadt and C. Russell. Counterfactual Explanations Without Opening the Black Box: Automated Decisions and the GDPR. Harvard Journal of Law & Technology 31--841 2017.","DOI":"10.2139\/ssrn.3063289"},{"key":"e_1_2_1_48_1","volume-title":"AWS Security Blog. https:\/\/aws.amazon.com\/blogs\/security\/all-aws-services-gdpr-ready\/","author":"Woolf C.","year":"2018"}],"container-title":["Proceedings of the VLDB Endowment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.14778\/3384345.3384354","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T09:53:49Z","timestamp":1672221229000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.14778\/3384345.3384354"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3]]},"references-count":48,"journal-issue":{"issue":"7","published-print":{"date-parts":[[2020,3]]}},"alternative-id":["10.14778\/3384345.3384354"],"URL":"https:\/\/doi.org\/10.14778\/3384345.3384354","relation":{},"ISSN":["2150-8097"],"issn-type":[{"value":"2150-8097","type":"print"}],"subject":[],"published":{"date-parts":[[2020,3]]}}}