Modern web applications provide many useful services to end-users but require them to share their data, sometimes publicly and globally. In 2018, the European Union issued a comprehensive legislation - the General Data Protection Regulation (GDPR) - that defines a system of laws aimed at promoting the deployment of extensive security mechanisms for the protection of users’ data and prevention of privacy breaches. Unfortunately, most modern systems tend to be optimized for performance, cost, and reliability, leaving security as a secondary goal and failing to provide adequate support for the development of GDPR-aware web applications. As a result, not only the web users remain prone to numerous risks, including the exposure of sensitive data, but the organizations themselves may incur high fees in the case of non-compliance with the GDPR. Moreover, due to the limitations of existing web frameworks, application developers face numerous challenges in building their applications in adherence to the strict GDPR data protection policies. Considering these challenges, this thesis studies the implications that GDPR holds in web applications and clarifies the requirements organizations need to follow when managing their information systems. Particularly, it proposes RuleKeeper, a novel web application framework, tailored to provide data security and privacy protections according to GDPR-compliant policies. Additionally, this thesis presents Purposeful Data Objects, a new abstraction for building secure-by-design GDPR-compliant web applications, and GPSL, a policy language for specifying GDPR policies in such a way that the requirements expressed above can be laid out rigorously and interpreted automatically.