I have some teammates who use the download feature on weekly smart list subscriptions. Will download these lists of leads be compliant with GDPR secure file sharing?
The GDPR itself does not mandate encryption.
But if your legal team has determined that encryption at rest is part of a good-faith effort to protect private data (with or without GDPR, but with an eye toward smoothing things over with regulators when bad things happen) then making lists available offline on untrusted devices is likely to break that internal contract.
I just had a read of this GDPR guide from Marketo
Its says it applies "encryption to all data in transit".
It includes the following
Data Encryption By default, Marketo implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during transmission, applying high grade TLS encryption to all data-in-transit through the use of HTTPS connections to all Marketo instances. In addition, customers have the option to add encryption to data at-rest by storing their data on AES-256 encrypted hardware. Encryption at-rest provides a further safeguard in the case of a data breach, as any data stolen would be illegible and unusable.
Does this mean that the subscription lists are encrypted and only readable by the recipient?
Nope, because the link is being sent via SMTP, which is inherently insecure (it's a plain-text medium). This would not be considered end-to-end encryption by any means. Any network that includes plain HTTP (not HTTPS), FTP (not SFTP/FTPS), or SMTP can't be considered "encrypted."
Nope. Even if the link to the list were transmitted over a totally secure medium and encrypted at rest on the server, anybody with access to the instance can decrypt the data (it's not per-recipient encryption).
Again, your legal department will determine what level of security is necessary but it's vital to state clearly what's being delivered.
Retrieving data ...