a) They are doing the thing we have collectively decided is bad for society (misusing personal data)
b) Do nothing about this when somebody invokes one of their new legal rights, whether that be to retrieve the data you have on them or remove the data you no longer have a grounds under any of the six legal basises to store (which includes 'consent', which can be revoked, as well as five other bases which cannot be revoked but have more limited scope with what you can do with the data)
c) Be reported for this
d) Refuse to work with the compliance group
At this point, judging by how the EU has historically used fines as an enforcement mechanism, you're looking at a small fine designed as a wakeup call. The 20 million EUR figure (or % of revenue) is a _cap_, not a floor, and the EU has never gone for maximum fines except when it is obviously required to enforce compliance.