The PRIMARY concern of an information security manager documenting a formal data retention policy wouldbe:

A.
generally accepted industry best practices.

B.
business requirements.

C.
legislative and regulatory requirements.

D.
storage availability.

Explanation:

The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided