Absolutely! Don’t just start building stuff, even if it’s very tempting. You need a proper set of requirements from them, especially with something as important as data security and privacy legislation.
Personally I don’t see why a privacy/legal team would need access to all server logs dating back to a year. I could understand them wanting specific security and access logs, to trace which users accessed which data. But as @jan already said: we can’t imagine what your “GDPR Team” is supposed to be doing all day 
I mean, even our security auditors will not require full access to the full server logs dating back that far. It’s mostly security stuff, which is a limited subset.
So… time for talks, meetings, proposals and most importantly: lists of requirements.