our views and our knowledge in analytics and other releveant topics

our blogs

Harry Potter and GDPR


I was watching Harry Potter and the Goblet of Fire the other day.

For the uninitiated, Harry Potter is a fictional British schoolboy wizard.  If you don’t want to know what happens in the film, or if you have been living under a rock for twenty years and haven’t seen it nor read the book, please skip the next few paragraphs, as it includes spoilers.

The Goblet of Fire is the one where the other schools turn up for a competition that manages to go on throughout the whole school year; the champions of each school end up having to do genuinely life-threatening challenges (swimming under water for an hour, fighting dragons, that sort of thing), until eventually one of them, Cedric Diggory, is killed during the final challenge by followers of the evil Voldemort, who have infiltrated the competition.

Now, before any Harry fans (not least in my team!) get in touch, I know it’s a film (and a book), and a magical fantasy one at that.  And I know that wizards aren’t real, so this is not supposed to reflect reality.  But it’s still set in a school, with teachers and pupils, and so we relate to those “everyday” elements of the story in a way that is different to people flying around in broomsticks.  It is precisely because the setting and environment is so familiar that we can accept and embrace the other fantasy aspects of the story.

However, in this mode of suspended disbelief, we also accept other “everyday” plot devices that we would never accept in the real world.  And Harry Potter and the Goblet of Fire has many of them.  But I’d like to focus on just one, not because I want to pull apart the plot – it’s a brilliant story and deserves to be one of the best-loved of the Hogwarts series – but to highlight the challenges in the real world when it comes to gaining consent for marketing.

Each of the champions for each school has to be over 17 (the age of majority for a wizard) and then needs to volunteer for the competition by putting a piece of paper with their name written on into the goblet of fire, which is the magical equivalent of a business card bowl that you see on the bar sometimes to win an iPad or similar in return for your details.  The magical wine glass is surrounded by a powerful spell, cast by the teachers, so that only those who are of the permitted age can get close enough to put their name in.  And you can only volunteer yourself, not someone else.  From that, the goblet selects each school’s champion, based on a set of conveniently unstated criteria.  And once selected, that’s it; you are committed to do all the tasks in the competition, so get ready for the thrill of a lifetime.

So far, so plausible.  This seems similar to most “business card bowl” competitions.  The information needs to be freely given by the individual – consent cannot be forced – and there are some basic checks that need to take place to make sure that the data can be used for marketing; are they over the age limit (to make sure they are an adult) and have you made every effort to ensure that they are a real person, and did indeed provide consent (like checking against a preference service or sending a confirmation, “double opt-in” email to confirm permission).

But then Harry Potter finds himself selected by the Goblet of Fire for the competition.  That’s despite the fact that firstly, he’s not seventeen yet, and so ineligible, and secondly, because he didn’t put his name into the competition.  So, the validation process has failed twice over, and on the two entry criteria that are most definitive in the competition – age and consent.  Moreover, it is obvious to everyone involved that this has happened; it is the most public breach of data privacy possible.  This leads to much hand-wringing amongst the teachers about whether this is right, before they escalate it to the Minister of Magic, no less – effectively, the Prime Minister of the magic world.  The Minister concludes that entry into the Goblet of Fire represents a “binding magical contract”, and therefore Harry has to compete.

I appreciate this is a vital plot device for the rest of the book to work, and it creates a “ripping yarn” of against-the-odds, and against-the-powers-that-be, brilliance that is the stock-in-trade of the fantasy genre.  And, as I have said earlier, JK Rowling is one of the very best writers in the genre.  But it does put into relief data privacy issues in the real world.


The new GDPR regulations are causing much consternation at the moment, particularly when it comes to consent, and proving compliance with the law.  Clearly, much of the plot device couldn’t happen for real – it is already illegal to market to under-age teenagers without parental consent, and that’s straight-forward.  Under the GDPR, you will also have to prove that you have explicit opt-in consent in order to process this personally-identifiable information.  At the moment, it is up to the individual to complain and prove that you are not compliant – for instance, using the Hogwarts example, Harry would have to complain, and also then prove that he didn’t put his name in the goblet, which is clearly very difficult, because the only real proof is to show that someone else did.  However, from May 2018, the onus switches to the organisation to prove that they did.  It is not enough to show that you have excellent data security processes (the equivalent here of the magical spell around the goblet); you have to show exactly when and where the consent was given.

This would change the plot device significantly.  Suddenly, it would be up to the teachers to examine the log files of their spell (it seems reasonable to assume that a spell would have a history, or perhaps it had a CCTV camera on it) and demonstrate that it was indeed Harry that put the piece of paper in.  And in that way, they could prove, or, in this case, disprove the provision of consent.

Whilst that might make sound like a story killer, it might still be possible for Harry to have ended up in the challenges, because of what happens next.  Consent is not the only reason to have permission to perform legal data processing of PII under the GDPR.  You can still process data if you have a contract between the two parties; in other words, if they are a customer.  Alternatively, you could have to process the data if required by law – that is, if the authorities tell you to.  But then you can also process it if you have a legitimate interest in doing so.

By strange coincidence, the Minister of Magic literally calls it a “binding magical contract”, which would mean that consent is not required, and a contract does exist between Harry and the organisers of the competition, as long as they could prove that Harry was an existing customer.

Even beyond that, of course, the Minister of Magic is also the ultimate representative of authority, and so if he commands that the data is processed, then that would represent legal obligation.

And then finally, there’s legitimate interest.  This doesn’t really feature in the Harry Potter story, but back in the real world, this is where lots of people are currently focused within their businesses; the question is what, exactly, is a legitimate interest.

But with only six months to go before the new GDPR legislation is enforced, it’s vital that your organisation is defining how you manage, and justify, your permissions now, before it’s too late.  There’s no magic wand or silver bullet; you just have to work through your data and your processes.  If you haven’t thought about these yet, or if you are struggling to get this work completed, get in touch with Station10, and see how we can help.