This article argues that it is necessary for Korea to introduce a review system of privacy policies and an audit system of the practices of personal data processors. The author tries to draw lessons from surveying relevant laws and regulations of the European Union, the United Kingdom, and the United States. Privacy policies of entities may be the first target of privacy protection review but should not be the only target. It should be noted that there is discrepancy between what is stated in the privacy policy and what is actually carried out. Standard privacy policies may be easily found on the Internet. Self-assessment tools are also available. Personal data processors may draft their own privacy policies in a quarter of an hour by online templates. A review of those privacy policies may only be an initial step in the process of finding problems and solutions therefor in the current practices of personal data protection by the public and private entities. The experiences of major foreign countries that this article surveyed show the necessity to introduce a privacy audit system. The scope of audit of personal data protection should go beyond the formal privacy policies of entities into organizational structure, field practices, education of employees, technological privacy protection measures, etc. Measured steps should be taken to develop the discussion on the review of privacy policies into the discussion on the audit of general practices of personal data processors.