Data privacy architect and consultant Eshan Varma’s “Last Copy Of Your Data: Designing Privacy-Preserving Systems Under India’s New Data Protection Law.” The book provides business and technology leaders with a structured, systems-level framework for preparing their organisations for enforcement of the Digital Personal Data Protection Act (DPDP Act, 2023).
India’s DPDP Act, passed in 2023, establishes comprehensive data protection obligations for every organisation that collects, stores, or processes digital personal data of Indian citizens. With the DPDP Rules expected to operationalise enforcement, most Indian businesses face a gap between knowing they must comply and understanding what compliance requires from the systems they have already built. Customer data in a typical organisation exists across primary databases, analytics warehouses, backups, third-party integrations, caches, and increasingly, AI training datasets. Most organisations today cannot answer a fundamental question: how many copies of a single customer’s personal data exist across their infrastructure?
Eshan Varma wrote “Last Copy Of Your Data” to close this gap. The book translates every major DPDP provision into specific architecture decisions and system design patterns. Rather than treating privacy as a legal or policy exercise, Varma argues that privacy is a structural property of well-designed systems. His central thesis is that a privacy policy is a promise, while a privacy architecture is a guarantee, and that organisations which understand this distinction before enforcement begins will be far better positioned than those attempting to retrofit compliance under regulatory pressure.
The book is organised in four parts across sixteen chapters. Part I establishes five foundational principles of privacy engineering, including data minimisation, purpose limitation, storage limitation, confidentiality, and accountability, and maps each to concrete system design consequences. It includes a complete architect’s reading of the DPDP Act, where every key provision is translated into technical requirements, alongside a comparative analysis of global frameworks including GDPR, CCPA, HIPAA, and China’s PIPL.
Part II forms the technical core, covering vault architecture and tokenization, encryption strategy and key management, consent lifecycle design, deletion propagation and crypto-shredding, data residency architecture, field-level access control, and audit infrastructure. Part III applies these patterns across six Indian industry verticals: banking and UPI, healthcare and ABDM, e-commerce and ONDC, SaaS and cloud platforms, data centres, and marketing technology. Part IV addresses privacy architecture for AI and agentic systems, including de-identification patterns for large language model workflows and Model Context Protocol security, and closes with the chapter that gives the book its title: an exploration of what “last copy” truly means in a world of distributed systems, and why it must be understood as a property of the system’s architecture rather than a physical location.
“Most data breaches are not the result of sophisticated attacks,” said Eshan Varma. “They are the result of architectural decisions that left sensitive data in places it should never have been. DPDP gives India the regulatory framework. This book gives architects and business leaders the technical framework to meet it.”
Eshan Varma is a data privacy architect and technology consultant with over seventeen years of experience in software development, system architecture, and digital infrastructure design. His professional background spans SaaS platforms, analytics infrastructure, automation systems, and digital growth technology across startups, technology companies, and digital businesses. He is the founder of Crestpoint Strategic, a company focused on privacy architecture, system design for regulatory compliance, and scalable digital infrastructure. His areas of expertise include vault architecture and tokenization, encryption strategy, consent management system design, privacy engineering for AI systems, and DPDP compliance architecture.
“Last Copy Of Your Data” is positioned at the intersection of three disciplines: system architecture, data privacy regulation, and business strategy. It is written for CTOs, engineering leaders, system architects, data protection officers, and senior developers, as well as founders and business leaders who need to understand what DPDP compliance demands from their technology infrastructure.
“Last Copy Of Your Data” by Eshan Varma is available now on Amazon and Google Books. For consulting and advisory inquiries, visit crestpointstrategic.com.
