Confessions of an Accidental DPO: When HR Becomes the Data Privacy Superhero

You think being in HR is just recruitment, payroll, and handling the occasional office drama? Hala, think again. Welcome to the world where HR suddenly becomes the default Data Privacy Officer (DPO) — walang cape, walang fanfare, pero lahat ng personal info ng employees at applicants ay nasa kamay mo.

At my company, we don’t have a designated DPO. Technically, HR steps in by default. And let me tell you, this is no small responsibility:

• Collecting resumes, applications, and forms? ✅

• Running background checks and consents? ✅

• Handling sensitive personal information under RA 10173 (Data Privacy Act of 2012)? ✅✅

“Matutunaw ang Resume” (HR Edition)

Even before the law became active, I made it a personal rule to protect applicant resumes from prying eyes — kahit joke-joke ang dating nito.

You know how it is: some employees, mostly males, would glance at the pretty applicants and tease, “Pwede ba makuha number?” My answer was always a firm “Nope!” 😆. I’d half-joke, half-warn:

“Huwag niyo ’yan hawakan… matutunaw ang resume ng applicant!” 😆

Joke siya, oo — pero seryoso talaga. Resumes are not for browsing, not for entertainment, not to score a date with that pretty applicant, and definitely not for office chismis. Access is limited to HR and the hiring managers only.

Little did they know, I was already practicing the core principle of data privacy long before RA 10173 existed.

When HR Develops a Sixth Sense for “Sensitive” Situations

And it doesn’t stop there. As HR, you quickly develop superhuman radar for other “sensitive” situations:

• The curious coworker who asks if you can show them the “interesting resumes” that came in today.

• The applicant who asks 50 questions about who will see their NBI clearance (yes, they really do care!).

• The employee who requests a Certificate of Employment with compensation for a credit card, loan, or visa application. Everything is ready and handed over to the authorized agency. But then… someone from that agency calls HR directly asking for the same info.

  
  

  You cannot disclose it over the phone, of course

  .

  Your polite-but-firm reply? “Ang lahat po ay nasa COE, ma’am/sir — (ang kulit lang po!”) 😆

  
  

• The employee who forgets they signed a consent form and suddenly questions why HR “knows so much about them.”

HR Superpowers You Never Knew You Had

Somewhere along the way, HR gains unexpected abilities:

• Memory Master – remembering which applicant signed which consent form, and when.

• Legal Eagle Eyes – spotting missing clauses like “retention period” and “revocation of consent” in a sea of paperwork.

• Tech Translator – explaining to staff what “electronic records and signatures” really mean, without inducing panic.

• Morale Guardian – smiling while internally screaming: “Yes, we can ask for your background, but no, it’s not a job offer yet!”

Why Employees & Applicants Should Know Their Rights

Part of being a good HR-DPO is making sure your employees and applicants are aware of their rights under RA 10173:

• Read the consent form while filling it out. Don’t just tick boxes blindly.

• Know what information will be collected, shared, and retained.

• Understand your rights to access, correct, object to, or request deletion of your personal data.

• Ask questions — a well-informed applicant or employee is actually helping you protect the company and themselves.

On Ethics and “Winning” Applications

To be fair, there was a time when some employees would request that figures be increased to improve their chances of “winning” (e.g., approval of) a credit card or loan application.

That used to happen.

But today, that’s no longer allowed — not just because of data privacy rules, but because of ethics and accountability. HR-issued documents must reflect accurate and verifiable information, full stop.

Once a COE is issued, it stands on its own. We don’t confirm, explain, or adjust details over the phone. Protecting personal data also means protecting integrity — of the employee, HR, and the company.

HR Survival Tips as the Accidental DPO

So how do we survive as accidental DPO?

1. Always label documents clearly – “Confidential,” “For HR Eyes Only,” etc.

2. Track consent forms and retention dates like it’s a sport.

3. Keep humor handy – a little Taglish joke can save your sanity to avoid offending the intrusive employee.

4. Say NO firmly, politely, and repeatedly – protect applicant info, protect yourself.

5. Document EVERYTHING – if NPC ever comes knocking, you’re already ready.

Being an accidental DPO is no joke — but with proper forms, clear processes, awareness, and maybe a little humor, HR can survive… and thrive.

Question to my HR brethren: Kaya nyo ba ang additional responsibility?

Charot lang. 😉

About Me:

Joseline M. Alosbaños, known as the HR Carousel Ringmistress, is a Philippine-based Certified HR Practitioner with over twenty years of experience in Human Resources Management. Her extensive career spans various sectors, including corporate, freelancing, and consulting, equipping her with a wide range of skills. Joseline excels in employee relations, talent acquisition, total rewards management, HR operations, and organizational development, successfully implementing HR strategies that align with business objectives and promote a positive workplace atmosphere. If you require my services, feel free to contact me at joyce.alosbanos@gmail.com.