Up to 4% of the company's revenue doesn't solve much. Depending on the sector, 4% of revenue (are we talking EBITDA?) may potentially be less than a slap on the wrist, and internally middle-management will take the blame for the reduction in sales margin/operating profit.
The above comment is almost certainly a reference to GDPR, for which the maximum penalty for malicious non-compliance is "up to 4 % of the total worldwide annual turnover." It is not net income or profit or EBIDTA or anything else that subtracts operating cost, it is revenue.
IMO all the cookie warnings we see are just misguided attempts to ignore it and continue more or less like before and should probably not save anyone in court, again if I've understood it correctly.
Up to 4%? Wouldn't that simply be considered cost of business for some corporations? Pay less in security, etc. and just consider the 4% a smaller tax of sorts?
It is highly unlikely that the chairman and ceo of any corporation that was found guilty under GDPR and had to pay 4% would survive.
Few bank CEOs have survived the various "we will get some payback for 2008" fines over the years.
If you want to change corporate culture, you don't need to destroy the company, just hold a gun to the head of each CEO and see how fast they make sure everyone else dances.
This is one of the best things about Sarbane-Oxley - the CEO actually signs off the accounts and will go to jail if the accounts are misleading. so guess what has had top priority at banks across the globe?