Large-scale data applications are becoming an increasingly integral part of how both public and private sector organisations function. The transition towards a data-driven society means that processes within organisations will be organised structurally differently than they used to be and that decision-making will be based on profiles and algorithms more often than not. This change requires several adjustments to the legal regime, both to make the best possible use of the opportunities this change has to offer and to lay down safeguards against dangers and risks. To facilitate this process, a number of changes is needed to the current, individual-centred legal paradigm, such as laying down a protective regime for non-personal data, providing protection to public interests and societal harms and granting a bigger role for representative and collective actions and public interest litigation.