A new technology for privacy protection developed by a Danish startup can be the key to working with personal data more freely, more efficiently and safely.
Personal data poses a challenge to many organizations. It is a complex area with a strict set of rules that can make it difficult to work within. The complexity can make it feel overwhelming.
So companies often get so overly cautious that they almost give up and miss out on the value their data holds. In short, protecting privacy has become a resource-heavy hassle to many. But a unique encryption method is looking to change the way we work with sensitive information.
Data helps us learn and improve processes, marketing methods, products, and even our societies. We need it for research, analysis, testing, and AI training and much more. Our data is a gold mine and a Danish startup has developed a method to mine the gold more efficiently, less cost-heavy, and in respect of privacy and legislation.
The encryption method is called Type-Preserving Encryption. It is the brainchild of Martin Staal Boesgaard, founder of the Danish data protection startup PII Guard. Martin Staal Boesgaard has more than 20 years of experience in information security and cryptography. Throughout his career, he kept running into the same problems: How time-consuming and complex it is to get access to and be allowed to work with data containing personal information.
“The automation cuts down the processes from months to hours and is cheaper, more secure, and more simple than any previous method”Martin Staal Boesgaard, Founder, PII Guard
Because of his background in cryptography and interest in privacy, Martin Staal Boesgaard started investigating how to use crypto to add an extra layer of protection to the data and thereby setting the data free. He was inspired by Format-Preserving Encryption. But it had its weaknesses when it came to protecting PII (Personally Identifiable Information). So he developed what is now known as Type-Preserving Encryption.
The goal is to create a digital landscape where all data can be efficiently simulated matching the real-world data in virtually any way, without disclosing any PII in the process.
With classic cryptography, the entire file or database is encrypted as a whole. That means that without the encryption key whatever comes out is totally illegible. It means that the data can be sent and stored safely but to work with it in, for example, research, testing or AI training is impossible without the key. And with the key, the person decrypting the data suddenly has all the private data in their hands.
A 1:1 real-world virtual match
What PII Guard is doing is encrypting only the personal and sensitive parts of the dataset like phone numbers, social security numbers, IP addresses, or account numbers. You end up with a test dataset that matches the real dataset in a way that keeps the relations in the dataset intact. The personally identifiable information is destroyed but the datasets can still be compared 1:1. “The automation cuts down the processes from months to hours and is cheaper, more secure, and more simple than any previous method,” says Martin Staal Boesgaard.
“Just like with classical encryption you can still send and store data safely but the important detail is that the receiver can also work on the data in a protected form. We facilitate a new lifecycle for your data: Encrypt the data once and leave it like that because the data is still functional and maintains its business value in its encrypted form,” he explains.
His mission with PII Guard is to set data free and say “Yes we can.” Yes, we can gain maximum value from our data while respecting human privacy and laws like GDPR.
The fixed story that it is difficult, expensive, and almost impossible to work with production data ethically will soon be just a story. The argument “others aren’t fixing it so why should I?” won’t hold water much longer. Because the reality is that change is coming. PII Guard, which launched in 2018, is already working with banks, insurance companies, pension funds, companies, and authorities in Denmark and Sweden.
“The focus from authorities and companies on privacy protection has changed. Previously, most believed that there was no solution to the privacy issues. And thus, there was no alternative but to continue working with data as before. But lately, the authorities have been less forgiving to this argument and companies have started implementing better solutions,” he says.