You and your company must comply with the new accountability concept that the Personal Data Regulation has introduced. It has become one of the basic principles of the regulation.
You must be able to prove that you comply with the rules. This can for instance be done by providing data flow analyses, policies, business processes and controls.
Even if you comply with the privacy rules in practice, not documenting it can be a violation of the regulation. As such, you have to control data and at the same time provide evidence that you are doing so. You must have an overview of your data and data streams across the entire organization.
The responsibility used to lie with the Danish Data Protection Authorities, but now it lies with the individual data controllers - i.e. you and your company.