128-bit encryption is sufficient to satisfy the GDPR however encryption alone is not sufficient to satisfy your legal obligations.
My suggestion would be to upgrade to 256-bit sooner rather than later because it’s a future-proofed key length in legal terms. Take a look at this website, choose your country and determine your needs.
Depending upon the size of your company you may need a designated Data Protection Office appointed to oversee privacy matters.
You also need appropriate policies in place, evidence of information security (full disk encryption, file encryption, data loss prevention, anti-virus, firewalls etc.), evidence of staff training, audit trails and much more. Europe are getting very strict and penalties for non-compliance or breaches will be severe.
Here’s a quick and easy executive overview.