I've read a lot of this regulation and I think it's probably impossible to comply with. It's also very light on technical guidance for compliance. There are only a few passing mentions of encryption and nothing at all about particular standards. In other words, there is no specific requirement to encrypt data in transit or at rest, but rather a vague suggestion that encryption in general might be a good idea. On the other hand, with respect the right to be forgotten, which is really a right to request erasure, it's unclear whether deleting keys to encrypted data constitutes erasure. It could be read to require actually writing over all the copies of the bits.