How Global Clinical Trial Regulations Impact Healthcare Technology

When searching for clinical trial software, every site, sponsor and CRO has the same question: “how does this software comply with (insert clinical trial regulation here)?” 

Research professionals face an overwhelming number of regulations. In addition to international guidelines like ICH Good Clinical Practice, the Global Data Privacy Regulation (GDPR), or the EU Clinical Trials Regulation, they must also navigate the labyrinths of laws within individual countries. 

We collaborated with WCG, a leader in global compliance, to explore the clinical trial regulations in 26 countries–with more to come. Then we compiled a list of compliance questions you should ask when looking for clinical trial software: 

  • Which elements of compliance is the software vendor responsible for, and which parts am I responsible for?
  • How does the software vendor comply with regulations focused on electronic documents, like FDA 21 CFR Part 11 and EU Annex 11? 
  • What specific functions am I looking for from my technology, and how do regulations impact each of them? 
  • Will the software vendor work with me to ensure I can meet the individual requirements of my country? 

In this article, we’ll tackle how Florence’s compliance team approaches each of the above questions to help our customers with clinical trial regulations. 

This post is intended as guidance, not as legally binding regulations. For in-depth compliance information, please contact a member of our compliance team at

Which elements of compliance is the software vendor responsible for, and which parts am I responsible for?

Florence uses what we call the “Shared Responsibility Model.” The software vendor bears responsibility for ensuring their software meets the technical requirements of compliance in different countries. However, the site, sponsor, or CRO that buys the software bears responsibility for ensuring their internal processes follow compliance regulations. 

As part of this model, Florence:

  • Ensures our software meets the technical requirements for electronic document software set out in FDA 21 CFR Part 11 and EU Annex 11
  • Offers built-in compliance features like audit trails, version control, users and permissions, and electronic signatures with a password
  • Makes product updates or feature changes based on customer needs and global regulations

In turn, customers should: 

  • Review their contracts to see which functions they can perform using software 
  • Update their Standard Operating Procedures (SOPs) and internal processes to reflect their use of technology
  • Understand how to use their new technology compliantly over the course of a study

The site, sponsor, or CRO customer will always bear some responsibility for compliance. But as part of our commitment to white-glove service, our implementations team often helps customers set up their technology compliantly, update their SOPs, and create new internal procedures. 

To learn more about how Florence’s compliance team works with customers, you can visit our centralized Compliance page.

How does the vendor comply with regulations focused on electronic documents, like FDA 21 CFR Part 11 and EU Annex 11? 

Most clinical trial software will contain electronic documents at some point. Therefore, it’s especially important for clinical trial software to meet the technical requirements of electronic document regulations, like FDA 21 CFR Part 11 in the U.S. or Annex 11 in the EU. 

Since these regulations are so fundamental, we recommend asking about them early in the software vendor vetting process. 

A few good questions to ask about electronic documents include: 

  • Does the system produce accurate and complete electronic records?
  • Can the records be retained for the required period listed in regulatory guidelines? 
  • Is system access limited to authorized individuals? 
  • Can the system create a secure, computer-generated, time-stamped audit trail? 
  • Does the system have version control that allows you to see older versions of documents? 

You should also ask your vendor questions about eSignatures, like: 

  • Are electronic signatures unique to each authorized individual? 
  • Do the eSignatures include the printed name of the signer, date and time of signing, and reason for signing? 
  • Is the identification of the signer verified using two methods, such as a username and password or username and face ID? 
  • Does the user enter their password or other form of ID before each signing? 

Electronic signatures generated and stored within Florence products meet the requirements of advanced electronic signatures:

  • Uniquely linked to the signer;
  • Capable of identifying the signer;
  • Created in a way that the signer can, with a high level of confidence, use under their sole control; and
  • Linked to the Electronic Record in such a way that any subsequent change in the data is detectable.

We do this by requiring each user to have a unique login and to reenter their password before signing documents. We also ensure that signatures show the user’s name, job title (optional), and reason for signing. Finally, the audit trail records every time there has been a change to a document. 

If you’d like to learn more about the features you need to use eSignatures and electronic documents, the Florence compliance team has crafted a checklist to help.

What specific functions am I looking for from my technology, and how do regulations impact each of them? 

Clinical trial technology can perform a variety of functions, each with its own regulatory requirements. With WCG, we focused on:

  • eSignatures and document management
  • Remote monitoring
  • Source data collection and storage

We’ve already discussed the requirements for eSignatures and document management–now let’s dive into the requirements for remote monitoring and source data storage.

Source data contains information about patients’ heath, and remote monitoring grants CRAs access to this information. Therefore, clinical trial software must follow general data privacy regulations, like GDPR in the EU, APPI in Japan, and HIPAA (which affects medical data only) in the U.S. 

You’ll also need software platforms that comply with broad clinical trial regulations, like the EU Clinical Trials Regulation and ICH guidelines

Once you know whether your vendor follows these broad regulations, you need to ask how the vendor adjusts to individual countries’ regulations around source data and remote monitoring. 

For example, China has some of the strictest data localization requirements in the world, which can heavily affect whether source data storage or remote monitoring is allowed. In contrast, countries like the U.S., South Korea, the UK, and the Netherlands offer far more flexibility on how sites and sponsors store source data and perform remote monitoring. 

Given all these considerations, how do you determine whether software is compliant? Start by asking your vendor these questions: 

  • How do you comply with general data privacy regulations, like GDPR or HIPAA
  • How do you comply with international clinical trial regulations, like ICH Good Clinical Practice
  • What steps do I need to follow to use your technology compliantly for source storage or remote monitoring? 
  • If I want to perform remote monitoring or source storage in “X” country, what steps should I follow? 

The vendor’s compliance team should be able to walk you through how to set up the software compliantly in each country where you want to engage with data storage and monitoring. If you’d like to ask questions of our compliance team, you can email

Will the vendor work with me to ensure I can meet the individual requirements of my country? 

If the vendor doesn’t meet a country-specific technical requirement, it’s always possible to ask their compliance team whether they can implement a change to the software. 

An example: while researching UK regulations, our compliance team noted that the UK requires eSignatures to include a person’s title, not just their name. Our development team then added a feature that applies the user’s job title to their eSignature. 

Your clinical trial software should be compatible with broad regulations, like ICH GCP, GDPR, HIPAA, 21 CFR Part 11 and Annex 11, long before you purchase it. But if you know which countries you plan to use the software in, it’s important to bring that up during the vendor vetting process. 

A good software vendor will give you a detailed breakdown of:

  • Whether their software meets the technical requirements of the countries you want to use it in
  • Whether they can adapt their software to meet those technical requirements
  • Which requirements you should follow to use the technology compliantly 

As part of our commitment to “white-glove service,” Florence goes beyond meeting technical requirements and helps customers understand how to update their SOPs and processes. If you’re concerned about compliance, ask vendors whether they offer help with SOPs during implementation.

A Global Approach to Clinical Trial Regulations 

Every country has dozens of complex regulations for clinical trials. To find clinical trial software that follows these regulations, start with big-picture questions, like:

  • What aspects of compliance you’re responsible for and which the vendor is responsible for
  • Whether the vendor follows electronic document and signature regulations, like 21 CFR Part 11 and Annex 11
  • How the vendor addresses data privacy laws that affect source data, such as HIPAA, GDPR, and AAPI?
  • Whether the vendor is willing to adapt to meet your software needs

Exploring these big questions will put you on the road toward finding compliant software that makes your trials more efficient.

Still have questions? Check out our Compliance page, complete with FDA 21 CFR Part 11, GDPR, and HIPAA resources.