People often joke about the EU being toothless don't they? What penalties exist, as presumably their is a grace period to this that gives companies the time to build the systems in order to respect it? I feel like most small companies will find a way to skirt (or ignore) this as such systems could likely match the complexity of their products themselves..
Fines are only one pillar of the strategy, as the new regulation also makes it significantly easier for individuals to sue companies due to data misuse and loss in a civil court.
But you're right, in the end it will depend on how severely the individual EU countries as well as the commission persecute companies that don't obey the standards. And like in other areas there will be fraud and companies trying to circumvent the regulation. All in all I think the standard for data protection will increase significantly.
Small businesses don't need to build complex systems to respect the law. If someone wants their data they can ask for it by email. The business can then manually gather the data from their databases and send it as a ZIP, PDF or whatever.
You can worry about building a system when it makes financial sense compared to the time spent manually dealing with data requests.
ZIP/PDF would not qualify as an exchange format, as the directive clearly states the data must be "in a structured, commonly used and machine-readable format". XML would do, but a PDF definitely not as it's not machine-readable (in the sense that you can easily extract the structure of the raw data from the file).
