With the growing threat of insider-driven security incidents, many companies are creating rigorous insider threat programs. Security and risk (S&R) leaders, however, need to ensure these programs exhibit empathy for people, operate with integrity, and remain compatible with privacy regulations such as the General Data Protection Regulation (GDPR). This report helps S&R pros set up a competent program that not only delivers against security objectives but also doesn’t sacrifice the employee experience (EX).