Combining the two roles is something that lots of small companies are thinking of and is a whole
debate on this subject among various professional circles. My personal view is that although in theory could work there will be some instances where a conflict of interest might appear.
For instance the Information Security Officer's job is to protect the assets of the company any by doing that he/she may engage in monitoring of employees activities. Thus, the Information Security Officer will think of the best and extensive ways to monitor the employees in order to ensure that the company`s assets are protected. On the other hand, the Data Protection Officer would need to leverage the monitoring extent with the rights and freedoms of the employees as well as their expectations of privacy.
So, you can see that there is a conflict of interest if one individual would need to perform both tasks.
There was also a case law in Germany a few years ago where the court ruled that the Information Security Officer cannot perform the tasks of the Data Protection Officer.