"implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects."
If you are collecting or transmitting personal data through a website and aren't using SSL then you're not really taking appropriate measures.
I'd use SSL by default now. It's cheap and reasonably easy to set up and gives you a small boost in SEO, and mostly stops third parties from intercepting traffic to and from your site.