back to article What's an RDBMS? Don't ask the UK's data protection watchdog

The UK's data protection watchdog needs to hire more staff that "understand how databases work", according to whistleblower Chris Wylie. Wylie – the pink-haired, loud-mouthed former Cambridge Analytica staffer at the centre of the claims about the use of Facebook user data in political targeting – made the comments in a four- …

  1. VaguelyCompetent

    Sounds like Wylie needs to go on an RDBMS course...

    ... because he doesn't know the difference between a database and the application using it. RDBMS (e.g. Oracle, MySQL, PostgreSQL) may be used for as a storage system for machine learning or statistical analysis but PCA and dimensionality reduction are nothing to do the RDBMS. They are very much to do with the applications running on top of it.

    Wylie may think that he's sounding clever, but really he's sounding like a bit of a smart ass. Maybe he knows the difference... and maybe he doesn't either...

    1. matjaggard

      Re: Sounds like Wylie needs to go on an RDBMS course...

      No, he was listing things that they need to know more about. He made no reference to them relative to each other.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sounds like Wylie needs to go on an RDBMS course...

      "Wylie may think that he's sounding clever, but really he's sounding like a bit of a smart ass"

      Only if you criminally misread the quote. He was listing examples of fundamental concepts that had to be explained "and re-explained" to the ICO. They are all things that any data professional should have at least conversational familiarity with in this day and age, particularly one concerned with personal data.

      1. VaguelyCompetent

        Re: Sounds like Wylie needs to go on an RDBMS course...

        Well, the headline says "RDBMS", the opening sentence refers to "RDBMS", the previous paragraph refers to "a database engineer" and that same sentence states "how relational databases work" immediately before referencing PCA and and dimensionality reduction, so to me the article is pretty focussed on RDBMS.

        I completely get that in the bigger picture, someone working with data analysis and value extraction should know about these things, but that's not what I would call a database engineer.

        I definitely agree that the ICO audit team should know this stuff backwards, if they are going to be able to perform a meaningful inspection of any company's data handling.

  2. Doctor Syntax Silver badge

    "Unfortunately for her, it then took a week for that warrant to be granted"

    It might turn out to be fortunate in the long run if it strengthens her argument for better resources and powers. A great deal of commentary has been written along here apparently based on the assumption that delays etc are her fault rather than a consequences of the legal framework within which she has to work.

    It's right that she should need a warrant to enter premises but why should that require a 5 hour delayed High Court hearing?

    1. Voland's right hand Silver badge

      It's right that she should need a warrant to enter premises but why should that require a 5 hour delayed High Court hearing?

      Come on, it takes time to remove all the files related to the fact that SCL/CA was founded as a NATO "screw other countries democracies" division and their work on this since 1993. Especially when the press is taking pictures of the beautiful red-lidded crates they are taken out in.

      Do you really expect any of them to be in the building by the time ICO enters?

      If so, I am Prince Mbaka-Mbaka from the Federal Trusty Mutual Bank of Nigeria and I have an offer for you related to you assisting with the retrieval of 85 MILLION DOLLARS of International Monetary Fund Donation.

    2. Anonymous Coward
      Anonymous Coward

      "...but why should that require a 5 hour delayed High Court hearing"

      Additional training ;)

  3. Anonymous Coward
    Anonymous Coward

    He's not wrong...

    The ICO was set up as a noddy little civil service body with a focus on process and paper-based exercises. You can see this reflected in its roles and, fundamentally, its civil service pay structures. An information security auditor on the open market today commands at a minimum, easily, something on the order of £40-60k, or £500 per day. Good ones in the right sector, with the right skills can multiply those numbers.

    What are the ICO currently offering for an auditor? 26 grand. I don't want to sound trite, but I certainly wouldn't be getting out of bed for that money and I'd be willing to bet most readers of this humble rag wouldn't either. InfoSec response teams who investigate complex breaches at large organisations will be billing something close to that that per *day* between them.

    ICO staffing needs to be remodelled to be something akin to the Government Legal Service, with the ICO's roles being recognised as ones that should be performed by highly specialised, skilled professionals and not jobbing civil servants on a rotation through the North West.

    1. Tom 38
      Joke

      Re: He's not wrong...

      Yeah but they gave the boss a £40k raise so that should sort everything out.

    2. SVV

      Re: He's not wrong...

      "What are the ICO currently offering for an auditor? 26 grand. I don't want to sound trite, but I certainly wouldn't be getting out of bed for that money and I'd be willing to bet most readers of this humble rag wouldn't either."

      Yes, but our definition of an information secutity auditor would be someone who has plenty of expertise in information security, and auditing skills that allow them to formulate the right questions that will enable them to gather the information they need to know and analyse for the specific purpose of the audit. Just asking a standard list of questions and ticking the appropriate boxes (which is what a job at this pay scale will more or less be) is not so difficult. And of course far less useful and effective. But it lets the goverment say they are "doing something" and enforcing the rules, even though it will be largely a pointless waste of time and money. I mean, how many significantly large organisations are going to say "no" to a question such as "have you implemented a formal backup strategy?"....

      1. veti Silver badge

        Re: He's not wrong...

        I mean, how many significantly large organisations are going to say "no" to a question such as "have you implemented a formal backup strategy?"....

        You realise that question is followed up immediately by "Can I see it, please?" Followed by "Can you show me this component here?", "please restore this test environment from your last available backup", and "show me how you perform a backup".

        Just "saying the right thing" to auditors, even unskilled ones, is asking for whole new dimensions of trouble.

    3. Alan Brown Silver badge

      Re: He's not wrong...

      "The ICO was set up as a noddy little civil service body with a focus on process and paper-based exercises."

      More importantly, the ICO was setup so that the UK government could be SEEN to be complying with EU directives on data privacy directives, but was deliberately underfunded and nobbled so that it would be unable to actually _do_ anything.

      It was a very transparent and cynical move and the whole thing needs to be redone properly.

      In addition there needs to be a right of private action and statutory damages for breaches so that individuals can deal with offending outfits - if you want to make companies toe the line then the fear of a death of one million paper cuts is a far more terrifying prospect than facing down a regulator.

  4. Destroy All Monsters Silver badge
    Thumb Up

    Modern Life: Hypereal Dilbert Cartoon Bonanza WIth a Side-Order of Crazy

    As of 1 April, the salary for the role will go up to £160,000 from £140,000 – a figure it has been stuck on since it was last reviewed in 2008. There will also be an annual "uplift" of £20,000 for the duration of Denham's term.

    Yes, this is going to resolve the issue regarding lack of skills.

  5. Peter Prof Fox

    Tech knowhow is good but...

    You don't need to know anything about say automotive engineering if somebody is breaking the speed limit. That's just a smoke-screen. Which is why a decent standard of technical awareness of what's easily possible or utter nonsense is required by the regulator.

    To take an example, say Bigcorp has 'lost' thousands of people's details. I'd expect a regulator to be able to properly specify what information Bigcorp has to provide and how long it has to do so. Every time this happens we have repetitive 'oh it's worse than we first admitted'. More and worse leak out. So much for regulation.

  6. Anonymous Coward
    Anonymous Coward

    GDPR Standards

    As part of GDPR, the European Data Protection Board has powers to enforce standards across Europe to ensure consistancy of enfocement. If the ICO is not meeting this standard, then the EDPB will take action to ensure that it does. If the UK wants to exchange data with Europe then they will need to enforce the GDPR.

  7. Anonymous Coward
    Anonymous Coward

    DBMS, application, dimensionality, five hour hearing......

    .....is this all misdirection? If the plod are worried about "destruction of evidence", why are they not asking about some pretty simple things:

    - What are your backup arrangements?

    - What are your off-site back up arrangements?

    - Where is the design documentation for your software kept?

    - What arrangements do you use for software version control?

    - Where do you keep bank records?

    - Where do you keep customer records and invoices?

    *

    Unless the bad actors are totally incompetent, the answers to these questions should (eventually) tell the plod where the bodies are buried!

  8. streaky

    Derp

    Not defending the ICO but this whole thing was mishandled from top to bottom. Firstly the guy wanted to make a name for himself so instead of going to the police he went to the press who dutifully plastered it out in public for all to see and give CA plenty of time to duck and cover. Secondly, yes, it is a job for the police, not the ICO (not initially anyway). It's true that data protection laws are alleged to have been broken, but also if the guy is correct so have tech crime laws like (several sections of) the CMA. The police can just go to a magistrate and get a PACE warrant without alerting them that it's coming.

    Reality is though the guy seems to have been complicit by his own account and left it very, very late to be both a whistle-blower and be protected as one.

    Regardless of involvement of the police though, this was utterly balls'd up by the press right from the start.

    1. eldakka

      Re: Derp

      > or all to see and give CA plenty of time to duck and cover.

      According to comments in an earlier thread WRT warrants, the ICO is required to give 5 (7?) days notice to the target of any warrant so that they can appear in court and oppose the warrant application.

      It is not possible for the ICO to do a 'surprise raid'.

      1. streaky

        Re: Derp

        It is not possible for the ICO to do a 'surprise raid'.

        Hence my point that the ICO shouldn't have taken the lead. Data protection isn't the most serious of the allegations with this case. They can get a warrant later for the stuff the police have collected and separately prosecuted at their own pace.

  9. Dodgy Geezer Silver badge

    Experts must hang together...

    ...he said they were sorely in need of more technical expertise, as they asked him a few too many "basic questions"....

    In my experience, it's the people who ask 'basic' questions who are the cleverest, and the most use in an investigation.

    A bunch of experts flinging buzz-phrases at each other is a recipe for a confused and meaningless finding. If you look at the world's top scientists' writings - Sir Peter Medawar. Richard Feynman et al, you find that the language is simple, basic and clear.

    It's the rather more forgettable second-rate brains that spend their time worrying about displaying technical expertise...

  10. Anonymous Coward
    Anonymous Coward

    The ICO and it's Scottish version are struggling for staff full stop right now. Many of their better people have been poached by the private sector to take up posts as DPOs.

    The private sector has been offering 2-4x those guys' ICO salaries. So no real surprises that they are jumping.

    Infosec is the same in the public sector. If you're in post you're probably on £25-36k but replacements requiring £45k+ before they are getting real applicants.

    I'm infosec in public sector on £32k and have an interview coming up for a role paying £70-80k. If I'm offered do you think I'll hang around out of loyalty? Really?

  11. Anonymous Coward
    Anonymous Coward

    No...

    "...the body has already acknowledged it needs to boost staff's technical abilities."

    No, pamphlets, Friday afternoon training and an internal awareness campaign isn't enough...we all know thats what this means.

    Hire technical data experts. Fire non-technical data dimwits.

    It's really not difficult.

    Look at your staff and figure out who the filing cabinet rifling old numpties are and trim the fat. Give them a gold clock an Amazon voucher and a dignified exit...but get rid.

  12. Wiretrip

    I would be amazed if the danger-haired narcissist knew what PCA is himself. Also, it is a little known fact that he took the CA data with him when he left and tried to resell it himself...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like