London-based Regulatory technology (RegTech) Pontus Vision has released an open source GDPR tool. The tool is aimed at Data Protection Officers with Pontus Vision claiming it will help them become GDPR compliant. The Pontus Vision GDPR solutions is a search tool enabling companies to search for and locate customer data quickly.
What is interesting about this solution is that it is open source software. The company says that the software platform came from a UK Government department. What is doesn’t do on its website is identify that department or the base solution on which the GDPR solution is based.
According to Leonardo Martins, Founder of Pontus Vision: “We have designed Pontus Vision GDPR to enable financial service firms, challenged with historical data management issues, to very quickly and efficiently meet their GDPR requirements. Having built the solution following an engagement with the UK Government, we have applied our knowledge and expertise in security to the development of Pontus Vision GDPR and are pleased to offer it as an open source solution to the financial community.”
How does Pontus Vision GDPR work?
The solution is designed to constantly extract and track all the personal data held on customers. Once the data is identified it helps DPOs comply with legislation by making it easy to search. How it does this is not clear. It could be keyword based or it could use a set of markers when the data is created. Where the data is stored in structured solutions like databases this is relatively simple.
The challenge will be when the data is stored in unstructured files such as Word documents, PDFs, emails and even instant messenger logs. In all these cases the system will need to accurately identify the personal data and then record it.
Another challenge here is correctly allocating the personal data to the right file. If the company deals with three customers called Mark Smith, there will need to be considerable effort invested to ensure data is attached to the right Mark Smith. Again, this is a real challenge for unstructured data that may lack the relevant context. What Pontus Vision will need to demonstrate is its ability to identify and retain context around the data. This will allow it to ensure that there is no misidentification of data.
There is also the question of tracking data as it is stored in multiple locations. Corporate storage systems, cloud-based solutions, user devices and even the personal cloud storage of users. This means tracking data in and out of the organisation.
The company is keen to point out how secure the data is. It talks about GCHQ-level security even for data stored in the cloud. It claims the software has been reviewed by both the NCSC and GCHQ. However, there is no documents on the site to evidence this. Similarly, a search of both the NCSC and GCHQ sites show no details of any review of Pontus Vision GDPR.
An interesting move to use open source
Being open source can be a good thing. It allows other developers to take the source code and build new capabilities into it. It also allows Pontus Vision to build out an ecosystem of third-party plug-ins. For a company that positions itself as RegTech this opens a number of possibilities.
There are two versions of the solution. The first is the community version which can be downloaded from the Pontus Vision website. There is also a commercial version. There is no price for this version but it will, presumably, come with support and upgrades.
The downside of open source is balancing the community with curated versions of the software. There is always a gap between open source community editions and the enterprise versions which generate revenue from support. How it will manage the two is something that Pontus Vision needs to explain more about.
Targeting the financial community also makes sense. Whether they take the curated or community version, they have the resources to make this work. It will be interesting to see how many customers Pontus Vision can sign up for its GDPR solution.
What does this mean?
GDPR is seen as the magic phrase to unlock money from companies. With the deadline of 25th May fast approaching there is an increasing sense of panic. Quite how long it will take to install, configure, commission and ensure that all data is identified and tracked by this solution is not clear. Nor is the cost of doing this made clear.
What is important here is that this solution has come out of a government programme. While there is nothing to back-up the claim of GCHQ and NCSC having approved the product, it will have been through some rigorous testing. This means the product is likely to be secure but questions remain.
How will it identify data held in unstructured documents? How will it ensure that data is not misfiled or misrecorded? What is the timescale to deploy and be effective? The latter is extremely important given that time is running out for organisations to be compliant.