The GDPR requires the Data Protection Officer (the DPO) as a cornerstone role. The DPO, in fact, must keep a balance between different and opposite interests: controllers’, data subjects’ and Data Protection Authorities’. The DPO must also have a deep knowledge of data protection of GDPR and data protection and suggest a solution to implement and comply with GDPR.
A legal counsel within a company could provide such service only if he/she would be able to keep independency from the data controller interest and consider also data subjects’ interest and being able to dialogue with Data Protection Authorities in case of control. It is not so easy for internal legal counsels who are used to consider the interest of the company firstly.
Of course, the GDPR does not forbid it, and in case an internal legal counsel is appointed as DPO, the controller must be accountable for the independency required from the DPO role (in terms of powers, resources, the time provided to perform the tasks). The legal counsel, of course, must be an expert in data protection having a deep knowledge of GDPR and Data Protection Authorities interpretation as well as of company process of data.
You can find more information about the DPO role in these articles:
You may also consider enrolling in these online courses: