It will likely be years before any small business gets a routine regulatory enquiry, unless there is a complaint. And that is how it should be, isn't it?
So, a pragmatic approach then. Everybody violates the laws a little (maybe without knowing) and regulators pick big violations first. Software developers like to handle each edge case up front - which is not possible on this scale I guess.