Yes.
The ICO states:
“If you haven’t already done so, you must ensure any contracts which were in place as of 25 May 2018 meet the GDPR’s requirements.
Controllers and processors should therefore check their existing contracts to make sure they contain all the required elements. If they don’t, it’s essential to either amend existing contracts or get new contracts drafted and signed, and to review all template contracts in use.
It would also be prudent for controllers to make sure their processors understand the reasons for the changes and the obligations that the GDPR puts on them. The processor should understand that it may also be directly subject to an administrative fine or other sanction if it does not comply with its obligations. “
