Continuous compliance monitoring: why one-time scans aren't enough

A website that passed a compliance scan in January can be violating GDPR by March. Marketing added a new analytics tag. A third-party script updated and started setting tracking cookies. The SSL certificate expired. Nobody noticed because continuous compliance monitoring was not in place.

One-time scans give you a snapshot. Snapshots expire. The question is not whether your website was compliant three months ago, but whether it is compliant right now.

Six ways websites drift out of compliance

Compliance drift happens silently. Nobody plans to violate GDPR. But websites are living systems, and every change is a potential compliance event.

1. Marketing adds new tracking tags without consulting the DPO or legal team
2. SSL/TLS certificates expire, degrading transport security required by Article 32
3. Third-party scripts update and introduce new tracking behaviors the site owner never approved
4. CMP configuration changes break consent flows: reject buttons stop working or new cookie categories go uncovered
5. New pages get added without proper cookie consent integration
6. Third-party vendors change their data processing locations, turning an EU-hosted service into a cross-border transfer

Each of these happens routinely. Most organizations discover the problem when a customer complains, a regulator asks questions, or a competitor points it out publicly.

GDPR accountability is ongoing, not one-time

GDPR does not say 'demonstrate compliance once.' Article 5(2) creates an ongoing obligation. Article 24 requires controllers to implement measures that are reviewed and updated where necessary. Article 32 explicitly requires regular testing, assessing, and evaluating the effectiveness of technical and organizational measures.

The word 'regular' in Article 32 is the legal basis for continuous monitoring. A scan performed once a year does not meet the standard of regular testing. Regulators have made this clear in enforcement decisions: accountability requires ongoing verification.

How Vakteye monitors compliance continuously

Vakteye runs five monitoring tasks that track compliance status between full scans. These are not simplified re-scans. Each one detects a specific type of drift.

• Continuous monitor: scheduled re-scans that detect new violations, changed behaviors, and resolved issues compared to the last full scan
• Certificate expiry detection: alerts before SSL/TLS certificates expire, preventing Article 32 security degradation
• Compliance drift alerts: automated notifications when new violations appear on a previously clean domain
• Auto-revocation: when monitoring detects violations on a certified domain, the compliance badge is automatically revoked until the issues are resolved
• Scan health check: monitors the scanning system itself so you can trust the monitoring results

The monitoring system runs on a weekly rotation across all monitored domains. Each domain gets re-checked regularly without any manual intervention required.

Compliance drift detection: what changes between scans

Drift detection compares the current scan state against the last known baseline. New findings that were not present in the previous scan are flagged as drift. Something changed, and it introduced a compliance risk.

Common drift patterns Vakteye catches include new third-party cookies appearing after a marketing team installs a tag, consent banners breaking after a CMP update, security headers being removed during a deployment, and certificate configurations downgrading after a server migration.

Each drift alert includes the specific finding, when it first appeared, and how it compares to the previous scan. This turns 'something changed' into 'here is exactly what changed and why it matters.'

Auto-revocation: compliance badges that mean something

Vakteye issues compliance badges to domains that pass a full scan and human review. The badge is not a permanent certificate. It is a status indicator backed by continuous monitoring.

When monitoring detects violations on a badged domain, the badge is automatically revoked. The domain owner receives a notification with the specific violations found. The badge is restored only after the violations are resolved and verified.

This auto-revocation mechanism prevents the most common problem with compliance certifications: they go stale. A badge issued six months ago based on a one-time scan provides false assurance.

The cost of not monitoring

Reactive compliance (waiting for problems to surface) is more expensive than continuous monitoring. A customer complaint triggers an investigation. A regulator inquiry demands rapid evidence gathering. Both cost more than catching the issue early.

GDPR fines under Article 83 scale with the severity and duration of the infringement. A violation that existed for six months because nobody was monitoring attracts a higher fine than one caught and remediated within weeks. Duration matters to regulators.

Set it up once, stay informed continuously

Continuous monitoring removes the guesswork from compliance. You do not need to remember to run scans. You do not need to manually check certificate expiry dates. You do not need to audit every marketing tag deployment.

The monitoring system runs automatically. When something changes, you get an alert with the specifics. When nothing changes, you have the ongoing evidence trail that Article 32 requires. Either way, you are covered.