Journaling for dataflow updates

[rpaul48]

In the current implementation of GDPR Forget, a second call to DeleteShard is necessary at the end of ExecForget(). This is because although the initial call to DeleteShard removes all data in the user's shard, subsequent anonymization updates may result in data again being added to the user's shard.

We suspect this is because dataflow updates happen after making changes to the database. So, when we look at the indices, we look at values which are not updated. This may be resolved by implementing journaling for dataflow updates.