We talk to a US-headquartered firm that protects sensitive data by substituting it with a randomly generated surrogate value known as a token. This approach comes as AI and other technologies generate demands for vast amounts of data.

Wealth managers know they handle vast amounts of data to do their jobs. And in hot investment areas such as AI, demand for data is high. That begs the question of handling data in a secure and responsible way, creating opportunities, so advocates say, for making transfers anonymous or pseudonymous.    

Enabling firms to make more from their data – which often underpins most of a business’s enterprise value – can be the difference between profit and bankruptcy. As a result, the stakes in making data easier to fit with privacy concerns are high. 

This is where businesses such as US-based Protegrity enter the stage. It is a data protection business operating in a number of countries. It uses data tokenization. As it has argued to this publication before, Protegrity gets involved in how data transfers are made anonymous, or pseudonymous – partly hiding a person’s real identity, or completely removing any references to a specific person in a way that can identify him or her.

Protegrity recently commissioned research to understand how organisations are protecting, modernising, and optimising their data surveying chief information officers, technology officers, data managers and others. It found that costs are exploding, and the sheer complexity of compliance affects innovation around AI, for example. 

“There is a data accessibility problem and inability to share it among systems,” Paul Mountford, chief executive of Protegrity, told this publication. “For companies that are data-driven, this [keeping data secure] is their priority. They want to get it in a condition where they can use it to build value.”

“Data is a value. Look at today’s supermarkets, for example,” he said, noting that in a supermarket chain, for instance, data explains about 94 per cent of its enterprise value.

Fixing the use of data to enable its use is a “responsibility space”, Mountford, who has a background in software and technology around data security, said. He joined Protegrity in 2021, and previously served as the chief operating officer at Pure Storage, a cloud data storage enterprise.

Mountford, a native of the UK now living in California, is convinced that the rising use of AI tools, such as enterprise generative AI and large language models, drive a need for increased data security such as tokenization. 

“Companies are using these tools to simplify data processing and identify patterns and sequence data, however, what they put into these solutions might not necessarily be secure from potential bad actors who would be able to analyse exfiltrated data faster and more effectively once AI has categorised it,” he said.

“A second threat is employees using AI tools to perform their job functions. These tools provided limited security and data placed on these platforms could be exposed to external groups, whether they are cyber criminals or other users of these platforms. To mitigate this risk organisations must protect their data using Privacy-Enhancing Technologies (PETS) which include encryption and anonymisation such as tokenization. This replaces identifiable data with values that do not allow personal or sensitive data to be recognisable,” he said. 

Money waiting to be used
Managers of private equity and venture capital firms want to tap into AI and related technologies, and this puts data hygiene in the frame. Mountford said that there is about $1.5 trillion of unspent capital sitting on the sidelines. “They [investors] are looking for companies with reliable, linear growth that and that have a short path to making money,” he said. 

Wealth management, given its data needs, provides clear use cases for Protegrity’s technology, Mountford said.

Banks, insurers, asset managers, brokers and others need to have data that has been cleaned of problems. 

“This whole area is going to explode,” he said. 

One important concept, Mountford said, is that of the data exchange: hubs through which firms can build an ecosystem. 

“The banking and wealth sector is a minefield of data and much of this is highly sensitive customer information. As such the industry has a responsibility to protect its customer’s data from potential threat actors both in the form of cyber criminals and employees’ prying eyes,” Mountford said. “While many institutions have implemented stringent cyber security measures, it is equally important that the private banking and wealth sector protect the data too.”

“Companies must make sure that their security measures are sufficient for new AI models and should categorise data and build policies for the different categories of data they acquire and store. This will allow for the data to go anywhere and be used in a way that adds value to the organisation without the risk of exposing personal data,” he added.

Question marks
An important issue is how the status of personal data can be changed, and this is where the terms pseudonymised data and anonymised data arise. 

The EU General Court, to give one case, has overruled the European Data Protection Supervisor and held that pseudonymised data will not be personal data for the purposes of EU data protection law when transferred to a recipient that is unable to link the pseudonyms to identifiable individuals. According to Dechert, the law firm (12 May 2023), this was a "pragmatic approach that provides greater certainty for businesses that routinely use pseudonymisation, but risks undermining protections for individuals."

With anonymisation, technology masks or removes identities, and that is forever. Pseudonymisation replaces personal identifiers replaced with artificial identifiers. At issue is whether a person could re-identify the pseudonymised data with the addition of other information such as their client code, for example. If there is a risk it can be, then the data still falls under GDPR. There are also, possibly, risks that eventually the pseudonymised data could be hacked and penetrated.